T1553.002 Microsoft Sentinel · KQL

Detect Code Signing in Microsoft Sentinel

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Valid signatures can bypass security policies requiring signed code to execute, making this technique effective for defense evasion. Threat actors including FIN7, Scattered Spider, Kimsuky, and Patchwork have all leveraged purchased, stolen, or self-signed certificates to make malicious binaries appear legitimate.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.002 Code Signing
Canonical reference
https://attack.mitre.org/techniques/T1553/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousSigntoolPatterns = dynamic([
  "/sign", "-sign",
  "/f ", "-f ",
  "/p ", "-p ",
  "/fd ", "-fd ",
  "/tr ", "-tr ",
  "sha256", "sha1"
]);
let CertToolPatterns = dynamic([
  "-addstore", "-addcert",
  "-importpfx", "-p12",
  "MY", "Root", "TrustedPublisher"
]);
// Detection 1: signtool.exe invocations from non-standard parent processes
let SigntoolDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "signtool.exe"
| where ProcessCommandLine has_any (SuspiciousSigntoolPatterns)
| extend SuspiciousParent = InitiatingProcessFileName has_any (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", 
    "cscript.exe", "mshta.exe", "rundll32.exe", "explorer.exe"
  )
| extend SigningPFX = ProcessCommandLine has_any (".pfx", ".p12")
| extend TimestampServer = ProcessCommandLine has "/tr" or ProcessCommandLine has "-tr"
| extend SelfSigned = ProcessCommandLine !has "/tr" and ProcessCommandLine !has "-tr"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SuspiciousParent, SigningPFX, TimestampServer, SelfSigned
| extend DetectionType = "SigntoolExecution";
// Detection 2: certutil importing certificates into trusted stores
let CertutilDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any (CertToolPatterns)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "CertutilCertImport"
| extend SuspiciousParent = InitiatingProcessFileName has_any (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe"
  )
| extend SigningPFX = ProcessCommandLine has_any (".pfx", ".p12")
| extend TimestampServer = false
| extend SelfSigned = false;
// Detection 3: pfx/p12 certificate files created in suspicious locations
let CertFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pfx" or FileName endswith ".p12" or FileName endswith ".cer" or FileName endswith ".crt"
| where FolderPath has_any ("Temp", "Downloads", "AppData\\Local", "AppData\\Roaming", "Users\\Public", "ProgramData")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "SuspiciousCertFileCreation"
| extend SuspiciousParent = true
| extend SigningPFX = true
| extend TimestampServer = false
| extend SelfSigned = false
| project-rename AccountName = InitiatingProcessAccountName;
// Detection 4: Registry modifications to trusted publisher or root CA stores
let CertStoreModification = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (
    "ROOT\\Certificates",
    "TrustedPublisher\\Certificates",
    "AuthRoot\\Certificates",
    "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT",
    "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher"
  )
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "CertStoreRegistryMod"
| extend SuspiciousParent = InitiatingProcessFileName !in~ ("certutil.exe", "mmc.exe", "wuauclt.exe", "TrustedInstaller.exe", "svchost.exe")
| extend SigningPFX = false
| extend TimestampServer = false
| extend SelfSigned = false
| project-rename AccountName = InitiatingProcessAccountName;
union isfuzzy=true SigntoolDetection, CertutilDetection, CertStoreModification
| sort by Timestamp desc
high severity medium confidence

Detects code signing certificate abuse across four detection surfaces: (1) signtool.exe invocations from scripting engines or suspicious parent processes that may indicate automated signing of malicious payloads; (2) certutil.exe importing PFX/P12 certificates or modifying trusted stores; (3) certificate files (.pfx/.p12/.cer) created in user-writable temporary directories; (4) direct registry modifications to Windows trusted root CA or trusted publisher certificate stores. Uses DeviceProcessEvents, DeviceFileEvents, and DeviceRegistryEvents tables from Microsoft Defender for Endpoint.

Data Sources

Process: Process CreationFile: File CreationWindows Registry: Windows Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEventsDeviceRegistryEvents

False Positives & Tuning

  • Legitimate software developers signing their builds using signtool.exe in CI/CD pipelines (Azure DevOps, Jenkins build agents) — parent processes may be cmd.exe or powershell.exe in these environments
  • Certificate authority and PKI administrators importing new root or intermediate CA certificates via certutil.exe or mmc.exe as part of enterprise PKI management
  • Software installers bundled with vendor-signed binaries that import product-specific root certificates during installation (e.g., corporate VPN clients, enterprise security products)
  • Automated patch management solutions (WSUS, SCCM) that update trusted root certificate stores as part of Windows Update processes
  • Security scanning tools that create temporary certificate files when testing SSL/TLS configurations
Download portable Sigma rule (.yml)

Other platforms for T1553.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Use a Self-Signed Code Signing Certificate

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with New-SelfSignedCertificate in command line. Sysmon Event ID 1: Process Create for signtool.exe with command line containing '/sign', '/f', '.pfx', '/fd sha256', and the target binary path. Sysmon Event ID 11: File creation events for df00tech-codesign.pfx and df00tech-test.exe in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with the New-SelfSignedCertificate and Export-PfxCertificate commands.

  2. Test 2Import Self-Signed Certificate into Trusted Publishers Store

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with CommandLine containing '-addstore TrustedPublisher'. Sysmon Event ID 11: File creation for df00tech-publisher.cer in %TEMP%. Sysmon Event ID 13 (Registry Value Set): new value under HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\ keyed by the certificate thumbprint. PowerShell ScriptBlock Log Event ID 4104 for the New-SelfSignedCertificate commands.

  3. Test 3Verify Signed Binary Execution Trust (Authenticode Check Bypass Simulation)

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-addstore -user TrustedPublisher'. Sysmon Event ID 11: File creation events for df00tech-sign-test.cer and df00tech-payload.ps1 in %TEMP%. Sysmon Event ID 13: Registry modification under HKCU\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates (user-store variant). PowerShell ScriptBlock Log Event ID 4104 for Set-AuthenticodeSignature cmdlet execution.

  4. Test 4macOS Ad-Hoc Code Signing

    Expected signal: macOS Unified Log: codesign process execution with '--sign -' arguments visible in process audit logs. Endpoint Security Framework events for ES_EVENT_TYPE_NOTIFY_EXEC when codesign runs. Security.framework log entries in /var/log/system.log for code signing operations. If EDR is present (CrowdStrike, SentinelOne): process creation event for codesign with suspicious ad-hoc signing arguments. spctl execution generates Gatekeeper assessment log entries in /var/log/system.log.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1553.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.003SIP and Trust Provider HijackingT1553.004Install Root CertificateT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1553.001Gatekeeper BypassT1553.004Install Root CertificateT1036.001Invalid Code SignatureT1036MasqueradingT1195.002Compromise Software Supply ChainT1027Obfuscated Files or InformationT1574Hijack Execution FlowT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections