Detect Code Signing in Sumo Logic CSE
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Valid signatures can bypass security policies requiring signed code to execute, making this technique effective for defense evasion. Threat actors including FIN7, Scattered Spider, Kimsuky, and Patchwork have all leveraged purchased, stolen, or self-signed certificates to make malicious binaries appear legitimate.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.002 Code Signing
- Canonical reference
- https://attack.mitre.org/techniques/T1553/002/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where (%"EventID" = "1" OR %"EventID" = "4688" OR %"EventID" = "11" OR %"EventID" = "12" OR %"EventID" = "13")
| parse field=%"EventData" "<Data Name='Image'>*</Data>" as process_image nodrop
| parse field=%"EventData" "<Data Name='NewProcessName'>*</Data>" as new_process_name nodrop
| parse field=%"EventData" "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=%"EventData" "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=%"EventData" "<Data Name='ParentProcessName'>*</Data>" as parent_process nodrop
| parse field=%"EventData" "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=%"EventData" "<Data Name='TargetObject'>*</Data>" as registry_key nodrop
| eval process = coalesce(process_image, new_process_name)
| eval parent = coalesce(parent_image, parent_process)
| eval proc_lower = toLowerCase(process)
| eval cmd_lower = toLowerCase(command_line)
| eval parent_lower = toLowerCase(parent)
| eval is_signtool = if(proc_lower matches ".*signtool\.exe.*", 1, 0)
| eval is_certutil = if(proc_lower matches ".*certutil\.exe.*", 1, 0)
| eval signtool_sign = if(is_signtool = 1 AND (cmd_lower matches ".*(\-sign|/sign).*"), 1, 0)
| eval cert_import = if(is_certutil = 1 AND (cmd_lower matches ".*(-addstore|-addcert|-importpfx|-p12).*"), 1, 0)
| eval trusted_store_target = if(is_certutil = 1 AND (cmd_lower matches ".*(root|trustedpublisher|authroot).*"), 1, 0)
| eval has_pfx = if(cmd_lower matches ".*(\.pfx|\.p12).*", 1, 0)
| eval self_signed = if(is_signtool = 1 AND !(cmd_lower matches ".*(\-tr|/tr).*"), 1, 0)
| eval suspicious_parent = if(parent_lower matches ".*(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|explorer\.exe).*", 1, 0)
| eval cert_file_drop = if(target_filename matches ".*\.(pfx|p12|cer|crt)$" AND (target_filename matches ".*(temp|downloads|appdata|public|programdata).*"), 1, 0)
| eval cert_store_mod = if(registry_key matches ".*(ROOT\\Certificates|TrustedPublisher\\Certificates|AuthRoot\\Certificates|SystemCertificates\\ROOT|SystemCertificates\\TrustedPublisher).*", 1, 0)
| eval detection_type = if(signtool_sign = 1, "SigntoolSigning",
if(cert_import = 1, "CertutilImport",
if(cert_file_drop = 1, "SuspiciousCertFileCreation",
if(cert_store_mod = 1, "CertStoreRegistryMod", "Unknown"))))
| eval risk_score = signtool_sign + cert_import + trusted_store_target + has_pfx + self_signed + suspicious_parent + cert_file_drop + cert_store_mod
| where risk_score > 0
| fields _messageTime, %"Computer", %"User", process, command_line, parent, detection_type,
signtool_sign, cert_import, trusted_store_target, has_pfx, self_signed,
suspicious_parent, cert_file_drop, cert_store_mod, risk_score
| sort by _messageTime descSumo Logic detection for T1553.002 Code Signing abuse. Parses Sysmon EventID 1 (process create), EventID 11 (file create), and EventIDs 12/13 (registry) alongside Windows Security 4688 events to identify signtool.exe signing activity, certutil.exe certificate imports into trusted stores, suspicious .pfx/.p12 file drops, and certificate store registry modifications. Assigns a composite risk score.
Data Sources
Required Tables
False Positives & Tuning
- Automated DevSecOps pipelines using signtool.exe to sign application artifacts — frequently triggered from build agent processes that may resemble suspicious parents such as cmd.exe or powershell.exe
- PKI administrators using certutil.exe to distribute enterprise intermediate or root CA certificates to managed endpoints during certificate rollover events
- Third-party VPN or SSL inspection products that generate .pfx or .p12 files in AppData or ProgramData directories as part of client certificate provisioning
Other platforms for T1553.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Use a Self-Signed Code Signing Certificate
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with New-SelfSignedCertificate in command line. Sysmon Event ID 1: Process Create for signtool.exe with command line containing '/sign', '/f', '.pfx', '/fd sha256', and the target binary path. Sysmon Event ID 11: File creation events for df00tech-codesign.pfx and df00tech-test.exe in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 with the New-SelfSignedCertificate and Export-PfxCertificate commands.
- Test 2Import Self-Signed Certificate into Trusted Publishers Store
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with CommandLine containing '-addstore TrustedPublisher'. Sysmon Event ID 11: File creation for df00tech-publisher.cer in %TEMP%. Sysmon Event ID 13 (Registry Value Set): new value under HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\ keyed by the certificate thumbprint. PowerShell ScriptBlock Log Event ID 4104 for the New-SelfSignedCertificate commands.
- Test 3Verify Signed Binary Execution Trust (Authenticode Check Bypass Simulation)
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-addstore -user TrustedPublisher'. Sysmon Event ID 11: File creation events for df00tech-sign-test.cer and df00tech-payload.ps1 in %TEMP%. Sysmon Event ID 13: Registry modification under HKCU\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates (user-store variant). PowerShell ScriptBlock Log Event ID 4104 for Set-AuthenticodeSignature cmdlet execution.
- Test 4macOS Ad-Hoc Code Signing
Expected signal: macOS Unified Log: codesign process execution with '--sign -' arguments visible in process audit logs. Endpoint Security Framework events for ES_EVENT_TYPE_NOTIFY_EXEC when codesign runs. Security.framework log entries in /var/log/system.log for code signing operations. If EDR is present (CrowdStrike, SentinelOne): process creation event for codesign with suspicious ad-hoc signing arguments. spctl execution generates Gatekeeper assessment log entries in /var/log/system.log.
References (11)
- https://attack.mitre.org/techniques/T1553/002/
- https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/
- https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
- http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates
- https://en.wikipedia.org/wiki/Code_signing
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.002/T1553.002.md
- https://blog.talosintelligence.com/2020/09/cobalt-strike-paper.html
- https://www.crowdstrike.com/blog/scattered-spider-byovd-exploits/
- https://unit42.paloaltonetworks.com/backconfig-malware-targeting-government-military/
Unlock Pro Content
Get the full detection package for T1553.002 including response playbook, investigation guide, and atomic red team tests.