Detect Invalid Code Signature in Sumo Logic CSE
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. Unlike Code Signing (T1553.002), this activity will not result in a valid signature.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.001 Invalid Code Signature
- Canonical reference
- https://attack.mitre.org/techniques/T1036/001/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=OS/Windows/Sysmon
| where EventID = "7"
| json field=_raw "SignatureStatus", "Signature", "Signed", "Image", "Computer", "User", "CommandLine" nodrop
| where !isNull(Signature) AND Signature != "?" AND Signature != ""
| where SignatureStatus in ("Invalid", "Expired", "Revoked", "Untrusted")
| eval SignedButInvalid = if(SignatureStatus in ("Invalid", "Expired", "Revoked", "Untrusted"), 1, 0)
| where SignedButInvalid = 1
| stats count as Executions, values(SignatureStatus) as SigStatus, dcount(Computer) as Hosts by Image, Signature, Signed
| where Executions < 10
| sort by Executions descSumo Logic CSE query detecting Sysmon Event ID 7 (Image Load) events where the binary has a code signature present but that signature is in an invalid state. Low execution counts (< 10) are prioritized to surface targeted or novel malware masquerading as signed software.
Data Sources
Required Tables
False Positives & Tuning
- Beta or release candidate builds from legitimate vendors that are shipped with pre-production or test code signatures not yet validated by the CA
- Forensic investigation tools or incident response utilities that carry expired signatures from the vendor due to infrequent update cycles
- Dual-use security research tools (e.g., Sysinternals variants or custom audit tools) distributed informally within the organization without re-signing
Other platforms for T1036.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Sign Binary with Invalid Self-Signed Certificate
Expected signal: Sysmon Event ID 7: ImageLoaded with SignatureStatus=Untrusted and Signature containing 'Microsoft Corporation'. Process creation event for test_signed.exe.
- Test 2Copy Signature Metadata with SigThief
Expected signal: Sysmon Event ID 1: Process creation for PowerShell examining signature metadata. File creation events for both binaries in temp directory.
- Test 3Execute Binary with Expired Certificate (Simulated)
Expected signal: PowerShell ScriptBlock Logging Event ID 4104 showing certificate creation. Sysmon Event ID 1 for PowerShell process.
References (6)
- https://attack.mitre.org/techniques/T1036/001/
- https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
- https://github.com/secretsquirrel/SigThief
- https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.001/T1036.001.md
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
Unlock Pro Content
Get the full detection package for T1036.001 including response playbook, investigation guide, and atomic red team tests.