T1553.002

Code Signing

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Valid signatures can bypass security policies requiring signed code to execute, making this technique effective for defense evasion. Threat actors including FIN7, Scattered Spider, Kimsuky, and Patchwork have all leveraged purchased, stolen, or self-signed certificates to make malicious binaries appear legitimate.

Microsoft Sentinel / Defender

kusto

let SuspiciousSigntoolPatterns = dynamic([
  "/sign", "-sign",
  "/f ", "-f ",
  "/p ", "-p ",
  "/fd ", "-fd ",
  "/tr ", "-tr ",
  "sha256", "sha1"
]);
let CertToolPatterns = dynamic([
  "-addstore", "-addcert",
  "-importpfx", "-p12",
  "MY", "Root", "TrustedPublisher"
]);
// Detection 1: signtool.exe invocations from non-standard parent processes
let SigntoolDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "signtool.exe"
| where ProcessCommandLine has_any (SuspiciousSigntoolPatterns)
| extend SuspiciousParent = InitiatingProcessFileName has_any (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", 
    "cscript.exe", "mshta.exe", "rundll32.exe", "explorer.exe"
  )
| extend SigningPFX = ProcessCommandLine has_any (".pfx", ".p12")
| extend TimestampServer = ProcessCommandLine has "/tr" or ProcessCommandLine has "-tr"
| extend SelfSigned = ProcessCommandLine !has "/tr" and ProcessCommandLine !has "-tr"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SuspiciousParent, SigningPFX, TimestampServer, SelfSigned
| extend DetectionType = "SigntoolExecution";
// Detection 2: certutil importing certificates into trusted stores
let CertutilDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any (CertToolPatterns)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "CertutilCertImport"
| extend SuspiciousParent = InitiatingProcessFileName has_any (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe"
  )
| extend SigningPFX = ProcessCommandLine has_any (".pfx", ".p12")
| extend TimestampServer = false
| extend SelfSigned = false;
// Detection 3: pfx/p12 certificate files created in suspicious locations
let CertFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pfx" or FileName endswith ".p12" or FileName endswith ".cer" or FileName endswith ".crt"
| where FolderPath has_any ("Temp", "Downloads", "AppData\\Local", "AppData\\Roaming", "Users\\Public", "ProgramData")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "SuspiciousCertFileCreation"
| extend SuspiciousParent = true
| extend SigningPFX = true
| extend TimestampServer = false
| extend SelfSigned = false
| project-rename AccountName = InitiatingProcessAccountName;
// Detection 4: Registry modifications to trusted publisher or root CA stores
let CertStoreModification = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (
    "ROOT\\Certificates",
    "TrustedPublisher\\Certificates",
    "AuthRoot\\Certificates",
    "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT",
    "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher"
  )
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "CertStoreRegistryMod"
| extend SuspiciousParent = InitiatingProcessFileName !in~ ("certutil.exe", "mmc.exe", "wuauclt.exe", "TrustedInstaller.exe", "svchost.exe")
| extend SigningPFX = false
| extend TimestampServer = false
| extend SelfSigned = false
| project-rename AccountName = InitiatingProcessAccountName;
union isfuzzy=true SigntoolDetection, CertutilDetection, CertStoreModification
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceRegistryEvents

False Positives

Legitimate software developers signing their builds using signtool.exe in CI/CD pipelines (Azure DevOps, Jenkins build agents) — parent processes may be cmd.exe or powershell.exe in these environments
Certificate authority and PKI administrators importing new root or intermediate CA certificates via certutil.exe or mmc.exe as part of enterprise PKI management
Software installers bundled with vendor-signed binaries that import product-specific root certificates during installation (e.g., corporate VPN clients, enterprise security products)
Automated patch management solutions (WSUS, SCCM) that update trusted root certificate stores as part of Windows Update processes
Security scanning tools that create temporary certificate files when testing SSL/TLS configurations

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval Process=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentProcess=coalesce(ParentImage, ParentProcessName)
| eval LowerCmdLine=lower(CommandLine)
| eval LowerProcess=lower(Process)
(
  [
    search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval LowerProcess=lower(Image)
    | where match(LowerProcess, "(signtool\.exe|certutil\.exe)")
  ]
  OR
  [
    search sourcetype="WinEventLog:Security" EventCode=4688
    | eval LowerProcess=lower(NewProcessName)
    | where match(LowerProcess, "(signtool\.exe|certutil\.exe)")
  ]
)
| eval IsSigntool=if(match(LowerProcess, "signtool\.exe"), 1, 0)
| eval IsCertutil=if(match(LowerProcess, "certutil\.exe"), 1, 0)
| eval SigntoolSignCmd=if(IsSigntool=1 AND match(LowerCmdLine, "(\\-sign|/sign)"), 1, 0)
| eval CertImport=if(IsCertutil=1 AND match(LowerCmdLine, "(\-addstore|\-addcert|\-importpfx|\-p12)"), 1, 0)
| eval TrustedStoreTarget=if(IsCertutil=1 AND match(LowerCmdLine, "(root|trustedpublisher|authroot)"), 1, 0)
| eval HasPFX=if(match(LowerCmdLine, "(\.pfx|\.p12)"), 1, 0)
| eval SelfSigned=if(IsSigntool=1 AND NOT match(LowerCmdLine, "(\-tr|/tr)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentProcess), "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|explorer\.exe)"), 1, 0)
| eval RiskScore=SigntoolSignCmd + CertImport + TrustedStoreTarget + HasPFX + SelfSigned + SuspiciousParent
| where RiskScore > 0
| eval User=coalesce(User, SubjectUserName)
| table _time, host, User, Process, CommandLine, ParentProcess,
        IsSigntool, IsCertutil, SigntoolSignCmd, CertImport, TrustedStoreTarget,
        HasPFX, SelfSigned, SuspiciousParent, RiskScore
| sort - _time
| appendcols
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
   (TargetFilename="*.pfx" OR TargetFilename="*.p12" OR TargetFilename="*.cer")
   (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\Downloads\\*" OR TargetFilename="*AppData*" OR TargetFilename="*\\Public\\*")
  | eval DetectionType="SuspiciousCertFileCreation"
  | table _time, host, User, Image, TargetFilename, DetectionType
  | rename Image as Process, TargetFilename as CommandLine]

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Developer build pipelines invoking signtool.exe from PowerShell or cmd.exe as part of automated release processes on build agents
Enterprise PKI administrators importing intermediate CA or root certificates via certutil.exe for corporate certificate hierarchy management
Software vendor installers that embed and register product-specific certificates during installation sequences
Windows Update and WSUS processes that silently update the trusted root CA store via svchost.exe — this should be excluded by the SuspiciousParent filter but may require tuning

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (process.name : "signtool.exe" or process.name : "certutil.exe") and
   (
     (process.name : "signtool.exe" and process.args : ("/sign", "-sign", "/f", "-f", "/p", "-p", "/fd", "-fd", "/tr", "-tr", "sha256", "sha1")) or
     (process.name : "certutil.exe" and process.args : ("-addstore", "-addcert", "-importpfx", "-p12", "MY", "Root", "TrustedPublisher"))
   )
  ] by process.pid
| where process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "explorer.exe")

any where event.category == "file" and
  file.extension : ("pfx", "p12", "cer", "crt") and
  file.path : ("*\\Temp\\*", "*\\Downloads\\*", "*\\AppData\\Local\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*")

any where event.category == "registry" and
  event.type == "change" and
  registry.path : (
    "*\\ROOT\\Certificates\\*",
    "*\\TrustedPublisher\\Certificates\\*",
    "*\\AuthRoot\\Certificates\\*",
    "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\*",
    "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\*"
  ) and
  not process.name : ("certutil.exe", "mmc.exe", "wuauclt.exe", "TrustedInstaller.exe", "svchost.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate software developers using signtool.exe to sign internal binaries during build pipelines — especially if the parent process is a CI/CD agent like jenkins.exe or msbuild.exe
IT administrators importing enterprise CA certificates into trusted stores using certutil.exe as part of MDM or Group Policy certificate deployment
Antivirus or endpoint security tools that create .pfx or .cer files during certificate pinning or local proxy inspection setup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  "Process Name",
  "Command Line",
  "Parent Process Name",
  CASE
    WHEN LOWER("Process Name") LIKE '%signtool.exe%'
     AND (LOWER("Command Line") LIKE '% /sign%' OR LOWER("Command Line") LIKE '% -sign%'
          OR LOWER("Command Line") LIKE '% /f %' OR LOWER("Command Line") LIKE '% /tr %'
          OR LOWER("Command Line") LIKE '%sha256%')
    THEN 'SigntoolSigning'
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
     AND (LOWER("Command Line") LIKE '%-addstore%' OR LOWER("Command Line") LIKE '%-addcert%'
          OR LOWER("Command Line") LIKE '%-importpfx%' OR LOWER("Command Line") LIKE '%-p12%')
    THEN 'CertutilImport'
    WHEN (LOWER("File Path") LIKE '%.pfx' OR LOWER("File Path") LIKE '%.p12' OR LOWER("File Path") LIKE '%.cer')
     AND (LOWER("File Path") LIKE '%\\temp\\%' OR LOWER("File Path") LIKE '%\\downloads\\%' OR LOWER("File Path") LIKE '%appdata%')
    THEN 'SuspiciousCertFileCreation'
    WHEN LOWER("Registry Key") LIKE '%\\root\\certificates%'
      OR LOWER("Registry Key") LIKE '%\\trustedpublisher\\certificates%'
      OR LOWER("Registry Key") LIKE '%systemcertificates\\root%'
    THEN 'CertStoreRegistryMod'
    ELSE 'Unknown'
  END AS detection_type,
  CASE
    WHEN LOWER("Parent Process Name") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe','explorer.exe')
    THEN 1 ELSE 0
  END AS suspicious_parent,
  CASE
    WHEN LOWER("Command Line") LIKE '%.pfx%' OR LOWER("Command Line") LIKE '%.p12%'
    THEN 1 ELSE 0
  END AS has_pfx,
  CASE
    WHEN LOWER("Process Name") LIKE '%signtool.exe%'
     AND LOWER("Command Line") NOT LIKE '%/tr%' AND LOWER("Command Line") NOT LIKE '%-tr%'
    THEN 1 ELSE 0
  END AS self_signed
FROM events
WHERE
  devicetime > (NOW() - 86400000)
  AND (
    (LOWER("Process Name") LIKE '%signtool.exe%' AND
      (LOWER("Command Line") LIKE '% /sign%' OR LOWER("Command Line") LIKE '% -sign%'
       OR LOWER("Command Line") LIKE '%sha256%' OR LOWER("Command Line") LIKE '%/tr%'))
    OR
    (LOWER("Process Name") LIKE '%certutil.exe%' AND
      (LOWER("Command Line") LIKE '%-addstore%' OR LOWER("Command Line") LIKE '%-addcert%'
       OR LOWER("Command Line") LIKE '%-importpfx%' OR LOWER("Command Line") LIKE '%trustedpublisher%'
       OR LOWER("Command Line") LIKE '%-p12%'))
    OR
    ((LOWER("File Path") LIKE '%.pfx' OR LOWER("File Path") LIKE '%.p12' OR LOWER("File Path") LIKE '%.cer')
     AND (LOWER("File Path") LIKE '%\\temp\\%' OR LOWER("File Path") LIKE '%\\downloads\\%'
          OR LOWER("File Path") LIKE '%appdata%' OR LOWER("File Path") LIKE '%\\public\\%'))
    OR
    (LOWER("Registry Key") LIKE '%root\\certificates%'
     OR LOWER("Registry Key") LIKE '%trustedpublisher\\certificates%'
     OR LOWER("Registry Key") LIKE '%authroot\\certificates%')
  )
ORDER BY devicetime DESC
LIMIT 1000

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (4688) Sysmon via QRadar DSM

Required Tables

events

False Positives

Enterprise software packaging teams running signtool.exe as part of automated build and release pipelines, especially from build servers where explorer.exe or cmd.exe may be the parent
Certificate Lifecycle Management (CLM) tools such as Venafi or DigiCert KeyLocker that programmatically import PFX bundles into the Windows certificate store
Windows Update (wuauclt.exe) and WSUS deployments that occasionally write to the AuthRoot and ROOT certificate stores as part of scheduled root certificate updates

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where (%"EventID" = "1" OR %"EventID" = "4688" OR %"EventID" = "11" OR %"EventID" = "12" OR %"EventID" = "13")
| parse field=%"EventData" "<Data Name='Image'>*</Data>" as process_image nodrop
| parse field=%"EventData" "<Data Name='NewProcessName'>*</Data>" as new_process_name nodrop
| parse field=%"EventData" "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=%"EventData" "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=%"EventData" "<Data Name='ParentProcessName'>*</Data>" as parent_process nodrop
| parse field=%"EventData" "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=%"EventData" "<Data Name='TargetObject'>*</Data>" as registry_key nodrop
| eval process = coalesce(process_image, new_process_name)
| eval parent = coalesce(parent_image, parent_process)
| eval proc_lower = toLowerCase(process)
| eval cmd_lower = toLowerCase(command_line)
| eval parent_lower = toLowerCase(parent)
| eval is_signtool = if(proc_lower matches ".*signtool\.exe.*", 1, 0)
| eval is_certutil = if(proc_lower matches ".*certutil\.exe.*", 1, 0)
| eval signtool_sign = if(is_signtool = 1 AND (cmd_lower matches ".*(\-sign|/sign).*"), 1, 0)
| eval cert_import = if(is_certutil = 1 AND (cmd_lower matches ".*(-addstore|-addcert|-importpfx|-p12).*"), 1, 0)
| eval trusted_store_target = if(is_certutil = 1 AND (cmd_lower matches ".*(root|trustedpublisher|authroot).*"), 1, 0)
| eval has_pfx = if(cmd_lower matches ".*(\.pfx|\.p12).*", 1, 0)
| eval self_signed = if(is_signtool = 1 AND !(cmd_lower matches ".*(\-tr|/tr).*"), 1, 0)
| eval suspicious_parent = if(parent_lower matches ".*(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|explorer\.exe).*", 1, 0)
| eval cert_file_drop = if(target_filename matches ".*\.(pfx|p12|cer|crt)$" AND (target_filename matches ".*(temp|downloads|appdata|public|programdata).*"), 1, 0)
| eval cert_store_mod = if(registry_key matches ".*(ROOT\\Certificates|TrustedPublisher\\Certificates|AuthRoot\\Certificates|SystemCertificates\\ROOT|SystemCertificates\\TrustedPublisher).*", 1, 0)
| eval detection_type = if(signtool_sign = 1, "SigntoolSigning",
    if(cert_import = 1, "CertutilImport",
      if(cert_file_drop = 1, "SuspiciousCertFileCreation",
        if(cert_store_mod = 1, "CertStoreRegistryMod", "Unknown"))))
| eval risk_score = signtool_sign + cert_import + trusted_store_target + has_pfx + self_signed + suspicious_parent + cert_file_drop + cert_store_mod
| where risk_score > 0
| fields _messageTime, %"Computer", %"User", process, command_line, parent, detection_type,
         signtool_sign, cert_import, trusted_store_target, has_pfx, self_signed,
         suspicious_parent, cert_file_drop, cert_store_mod, risk_score
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Continuous Intelligence Platform Windows Sysmon (via Sumo Logic collector) Windows Security Event Log

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Automated DevSecOps pipelines using signtool.exe to sign application artifacts — frequently triggered from build agent processes that may resemble suspicious parents such as cmd.exe or powershell.exe
PKI administrators using certutil.exe to distribute enterprise intermediate or root CA certificates to managed endpoints during certificate rollover events
Third-party VPN or SSL inspection products that generate .pfx or .p12 files in AppData or ProgramData directories as part of client certificate provisioning

Google Chronicle / SecOps

yaral

rule t1553_002_code_signing_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1553.002 Code Signing abuse: signtool.exe/certutil.exe signing or cert import activity, suspicious cert file creation, and certificate trust store registry modifications"
    severity = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553.002"
    reference = "https://attack.mitre.org/techniques/T1553/002/"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.file.full_path, `(?i)signtool\.exe$`)
        or re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`)
      )
      and (
        re.regex($e.target.process.command_line, `(?i)(\-sign|/sign|/f |\-f |/p |\-p |/fd |\-fd |/tr |\-tr |sha256|sha1|\-addstore|\-addcert|\-importpfx|\-p12|trustedpublisher|authroot)`)
      )
    )
    or
    (
      $e.metadata.event_type = "FILE_CREATION"
      and re.regex($e.target.file.full_path, `(?i)\.(pfx|p12|cer|crt)$`)
      and re.regex($e.target.file.full_path, `(?i)(\\Temp\\|\\Downloads\\|\\AppData\\Local\\|\\AppData\\Roaming\\|\\Users\\Public\\|\\ProgramData\\)`)
    )
    or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e.target.registry.registry_key, `(?i)(ROOT\\Certificates|TrustedPublisher\\Certificates|AuthRoot\\Certificates|SystemCertificates\\ROOT|SystemCertificates\\TrustedPublisher)`)
      and not re.regex($e.principal.process.file.full_path, `(?i)(certutil\.exe|mmc\.exe|wuauclt\.exe|TrustedInstaller\.exe|svchost\.exe)$`)
    )

  match:
    $e.principal.hostname over 5m

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Google Chronicle Unified Data Model (UDM) Windows Sysmon forwarded via Chronicle ingestion Microsoft Defender for Endpoint via Chronicle connector

Required Tables

udm_events

False Positives

Software vendors running internal code signing pipelines where signtool.exe is invoked from build orchestration scripts (powershell.exe or cmd.exe parent) on dedicated signing servers
Enterprise PKI teams using certutil.exe to deploy root CA certificates across the organization — will trigger the CertutilImport and trusted store patterns
Security tools such as SSL inspection proxies or endpoint DLP agents that write certificate files to AppData or ProgramData as part of HTTPS interception setup

CrowdStrike LogScale (CQL)

cql

// Detection 1: signtool.exe and certutil.exe signing/import activity
#event_simpleName = ProcessRollup2
| FileName = /(?i)^(signtool|certutil)\.exe$/
| CommandLine = /(?i)(\-sign|\/sign|\/f |\-f |\/p |\-p |\/fd |\-fd |\/tr |\-tr |sha256|sha1|\-addstore|\-addcert|\-importpfx|\-p12|trustedpublisher|authroot)/
| ParentBaseFileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|explorer)\.exe$/
| eval IsSigntool = if(lower(FileName) = "signtool.exe", "true", "false")
| eval IsCertutil = if(lower(FileName) = "certutil.exe", "true", "false")
| eval HasPFX = if(CommandLine = /(?i)(\.(pfx|p12))/, "true", "false")
| eval SelfSigned = if(lower(FileName) = "signtool.exe" and CommandLine != /(?i)(\-tr|\/tr)/, "true", "false")
| eval DetectionType = if(IsSigntool = "true", "SigntoolSigning", "CertutilImport")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsSigntool, IsCertutil, HasPFX, SelfSigned, DetectionType])
| sort(timestamp, order=desc)

// Detection 2: Certificate file creation in suspicious paths (use union or run separately)
// #event_simpleName = /^(NewExecutableWritten|PeFileWritten|GenericFileWritten)$/
// | TargetFileName = /(?i)\.(pfx|p12|cer|crt)$/
// | TargetFileName = /(?i)(\\Temp\\|\\Downloads\\|\\AppData\\Local|\\AppData\\Roaming|Users\\Public|ProgramData)/
// | table([timestamp, ComputerName, UserName, FileName, TargetFileName])

// Detection 3: Registry writes to certificate trust stores
// #event_simpleName = /^(RegGenericValueUpdate|RegistryOperationCreate)$/
// | RegObjectName = /(?i)(ROOT\\Certificates|TrustedPublisher\\Certificates|AuthRoot\\Certificates|SystemCertificates\\ROOT|SystemCertificates\\TrustedPublisher)/
// | FileName != /(?i)^(certutil|mmc|wuauclt|TrustedInstaller|svchost)\.exe$/
// | table([timestamp, ComputerName, UserName, FileName, RegObjectName, RegValueName])

high severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike LogScale (Humio) Falcon Sensor telemetry (ProcessRollup2, RegGenericValueUpdate, NewExecutableWritten)

Required Tables

ProcessRollup2 NewExecutableWritten RegGenericValueUpdate RegistryOperationCreate

False Positives

Developer workstations or CI build agents where signtool.exe is routinely called from powershell.exe or cmd.exe as part of standard application signing workflows — common in Microsoft-ecosystem software shops
Managed endpoint environments where certutil.exe is scripted by SCCM or Intune to import enterprise certificates into TrustedPublisher or ROOT stores during device provisioning
CrowdStrike Falcon sensor itself or other EDR tools that may write certificate files to AppData during SSL inspection or agent update operations

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper Bypass T1553.003SIP and Trust Provider Hijacking T1553.004Install Root Certificate T1553.005Mark-of-the-Web Bypass T1553.006Code Signing Policy Modification

Code Signing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections