T1036.001 Google Chronicle · YARA-L

Detect Invalid Code Signature in Google Chronicle

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. Unlike Code Signing (T1553.002), this activity will not result in a valid signature.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.001 Invalid Code Signature
Canonical reference
https://attack.mitre.org/techniques/T1036/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule invalid_code_signature_t1036_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process execution or image load events where a code signature is present but in an invalid, expired, revoked, or untrusted state, indicating potential T1036.001 masquerading activity."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.001"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1036/001/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.authenticode_hash.sha256 != ""
    $e.target.process.file.pe.signature_present = true
    $e.target.process.file.pe.is_signed = true
    (
      $e.target.process.file.pe.signature_type = "INVALID" or
      $e.target.process.file.pe.signature_type = "EXPIRED" or
      $e.target.process.file.pe.signature_type = "REVOKED" or
      $e.target.process.file.pe.signature_type = "UNTRUSTED"
    )
    $e.target.process.file.pe.issuer != ""
    not $e.principal.hostname = ""

    $host = $e.principal.hostname
    $image = $e.target.process.file.full_path
    $signer = $e.target.process.file.pe.issuer
    $sigstate = $e.target.process.file.pe.signature_type

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting process launch events where the target binary carries an authenticode signature that is present but invalid, expired, revoked, or untrusted. Uses UDM PE metadata fields to identify files impersonating legitimately signed binaries.

Data Sources

Chronicle UDM (via Windows Sysmon Forwarder)Chronicle UDM (via Microsoft Defender for Endpoint ingestion)Chronicle UDM (via CrowdStrike Falcon ingestion)

Required Tables

PROCESS_LAUNCH UDM events with PE metadata

False Positives & Tuning

  • Enterprise internal applications signed with a corporate root CA certificate that is not trusted by the global CA store used for validation in the UDM enrichment pipeline
  • Legitimate software distributed via internal package management (e.g., Chocolatey, SCCM) where certificate expiry predates the detection window
  • Penetration testing tools or red team frameworks intentionally loaded with test or self-signed certificates as part of authorized security exercises
Download portable Sigma rule (.yml)

Other platforms for T1036.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Sign Binary with Invalid Self-Signed Certificate

    Expected signal: Sysmon Event ID 7: ImageLoaded with SignatureStatus=Untrusted and Signature containing 'Microsoft Corporation'. Process creation event for test_signed.exe.

  2. Test 2Copy Signature Metadata with SigThief

    Expected signal: Sysmon Event ID 1: Process creation for PowerShell examining signature metadata. File creation events for both binaries in temp directory.

  3. Test 3Execute Binary with Expired Certificate (Simulated)

    Expected signal: PowerShell ScriptBlock Logging Event ID 4104 showing certificate creation. Sysmon Event ID 1 for PowerShell process.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1036.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1553.002Code SigningT1553.006Code Signing Policy ModificationT1036.005Match Legitimate Resource Name or LocationT1027Obfuscated Files or InformationT1588.003Code Signing Certificates

Same Tactic: Defense Evasion

Popular Detections