T1587.002

Code Signing Certificates

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.

Microsoft Sentinel / Defender

kusto

// T1587.002 — Code Signing Certificate Creation and Manipulation
// Multi-branch detection covering native SDK tools, PowerShell cmdlets, OpenSSL, certutil, and signtool
let LookbackPeriod = 24h;
let PowerShellCertKeywords = dynamic([
    "New-SelfSignedCertificate",
    "Export-PfxCertificate",
    "Export-Certificate",
    "X509Certificate2(",
    "CertEnroll.CX509",
    "CertificateRequest",
    "codeSigning",
    "1.3.6.1.5.5.7.3.3"
]);
// Branch 1: Windows SDK certificate tools (makecert, pvk2pfx)
let NativeSdkTools = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where (FileName =~ "makecert.exe")
    or (FileName =~ "pvk2pfx.exe")
| extend DetectionBranch = case(
    FileName =~ "makecert.exe", "MakeCert-NativeSDK",
    FileName =~ "pvk2pfx.exe", "Pvk2Pfx-KeyConversion",
    "Unknown"
  );
// Branch 2: PowerShell certificate creation cmdlets
let PowerShellCert = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PowerShellCertKeywords)
| extend DetectionBranch = "PowerShell-CertCmdlet";
// Branch 3: OpenSSL code signing cert creation
let OpenSSLCert = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "openssl.exe"
| where ProcessCommandLine has_any ("req ", "x509 ", "pkcs12", "genpkey", "genrsa")
| where ProcessCommandLine has_any ("codeSigning", "1.3.6.1.5.5.7.3.3", "-x509", "extendedKeyUsage")
| extend DetectionBranch = "OpenSSL-CertCreation";
// Branch 4: certutil certificate store manipulation
let CertutilImport = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "-importpfx", "-add")
| extend DetectionBranch = "CertUtil-StoreImport";
// Branch 5: signtool signing operations
let SigntoolActivity = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "signtool.exe"
| where ProcessCommandLine has "sign"
| extend DetectionBranch = "SignTool-ExecutableSigning";
// Union all branches with normalized schema
NativeSdkTools
| union PowerShellCert
| union OpenSSLCert
| union CertutilImport
| union SigntoolActivity
| extend IsSuspiciousParent = InitiatingProcessFileName has_any (
    "cmd.exe", "wscript.exe", "mshta.exe", "cscript.exe",
    "regsvr32.exe", "rundll32.exe", "msiexec.exe"
  )
| extend IsTempLocation = ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\Downloads\\", "\\Public\\")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, IsSuspiciousParent, IsTempLocation
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceRegistryEvents

False Positives

Software developers creating self-signed certificates for internal code signing during development and testing pipelines
IT administrators managing internal PKI infrastructure and importing certificates to enterprise certificate stores
CI/CD build systems (Jenkins, GitHub Actions runners, Azure DevOps agents) that create or use signing certificates as part of release automation
Security tools such as Fiddler, Burp Suite, and Charles Proxy that create local CA certificates for TLS interception
Certificate authority enrollment agents and autoenrollment services performing legitimate certutil operations
macOS developers using codesign tooling through Windows Subsystem for Linux or cross-compilation environments

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsMakecert=if(match(Image, "\\\\makecert\.exe$"), 1, 0)
| eval IsPvk2pfx=if(match(Image, "\\\\pvk2pfx\.exe$"), 1, 0)
| eval IsOpenSSL=if(
    match(Image, "\\\\openssl\.exe$")
    AND (match(CommandLine, "\sreq\s") OR match(CommandLine, "\sx509\s") OR match(CommandLine, "pkcs12") OR match(CommandLine, "genrsa") OR match(CommandLine, "genpkey"))
    AND (match(CommandLine, "codesigning") OR match(CommandLine, "1\.3\.6\.1\.5\.5\.7\.3\.3") OR match(CommandLine, "-x509") OR match(CommandLine, "extendedkeyusage")),
    1, 0)
| eval IsPowerShellCert=if(
    (match(Image, "\\\\powershell\.exe$") OR match(Image, "\\\\pwsh\.exe$"))
    AND match(CommandLine, "new-selfsignedcertificate|export-pfxcertificate|export-certificate|x509certificate2|certenroll\.cx509|certificaterequest|codesigning|1\.3\.6\.1\.5\.5\.7\.3\.3"),
    1, 0)
| eval IsCertutil=if(
    match(Image, "\\\\certutil\.exe$")
    AND match(CommandLine, "-addstore|-importpfx"),
    1, 0)
| eval IsSigntool=if(
    match(Image, "\\\\signtool\.exe$")
    AND match(CommandLine, "\ssign"),
    1, 0)
| eval SuspicionScore = IsMakecert + IsPvk2pfx + IsOpenSSL + IsPowerShellCert + IsCertutil + IsSigntool
| where SuspicionScore > 0
| eval DetectionCategory=case(
    IsMakecert=1, "makecert_native_sdk",
    IsPvk2pfx=1, "pvk2pfx_key_conversion",
    IsOpenSSL=1, "openssl_code_signing_cert",
    IsPowerShellCert=1, "powershell_cert_cmdlet",
    IsCertutil=1, "certutil_store_import",
    IsSigntool=1, "signtool_executable_signing",
    true(), "multi_indicator"
  )
| eval IsSuspiciousParent=if(
    match(ParentImage, "\\\\(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe$"),
    1, 0)
| eval IsTempPath=if(
    match(CommandLine, "\\\\(temp|appdata|downloads|public)\\\\"),
    1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionCategory, IsSuspiciousParent, IsTempPath, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 12/13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software developers creating self-signed certificates for internal code signing during development and testing pipelines
IT administrators managing internal PKI infrastructure and importing certificates to enterprise certificate stores
CI/CD build systems (Jenkins, GitHub Actions runners, Azure DevOps agents) that create or use signing certificates as part of release automation
Security tools such as Fiddler, Burp Suite, and Charles Proxy that create local CA certificates for TLS interception
Certificate authority enrollment agents and autoenrollment services performing legitimate certutil operations
macOS developers using codesign tooling through Windows Subsystem for Linux or cross-compilation environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username,
  sourceip,
  "hostname",
  QIDNAME(qid) AS EventName,
  "ImagePath",
  "CommandLine",
  "ParentImage",
  CASE
    WHEN LOWER("ImagePath") LIKE '%\\makecert.exe' THEN 'makecert_native_sdk'
    WHEN LOWER("ImagePath") LIKE '%\\pvk2pfx.exe' THEN 'pvk2pfx_key_conversion'
    WHEN (LOWER("ImagePath") LIKE '%\\openssl.exe'
      AND (LOWER("CommandLine") LIKE '% req %' OR LOWER("CommandLine") LIKE '% x509 %' OR LOWER("CommandLine") LIKE '%pkcs12%' OR LOWER("CommandLine") LIKE '%genrsa%' OR LOWER("CommandLine") LIKE '%genpkey%')
      AND (LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%' OR LOWER("CommandLine") LIKE '%-x509%' OR LOWER("CommandLine") LIKE '%extendedkeyusage%'))
      THEN 'openssl_code_signing_cert'
    WHEN ((LOWER("ImagePath") LIKE '%\\powershell.exe' OR LOWER("ImagePath") LIKE '%\\pwsh.exe')
      AND (LOWER("CommandLine") LIKE '%new-selfsignedcertificate%' OR LOWER("CommandLine") LIKE '%export-pfxcertificate%' OR LOWER("CommandLine") LIKE '%export-certificate%' OR LOWER("CommandLine") LIKE '%x509certificate2%' OR LOWER("CommandLine") LIKE '%certenroll%' OR LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%'))
      THEN 'powershell_cert_cmdlet'
    WHEN (LOWER("ImagePath") LIKE '%\\certutil.exe'
      AND (LOWER("CommandLine") LIKE '%-addstore%' OR LOWER("CommandLine") LIKE '%-importpfx%'))
      THEN 'certutil_store_import'
    WHEN (LOWER("ImagePath") LIKE '%\\signtool.exe' AND LOWER("CommandLine") LIKE '% sign%')
      THEN 'signtool_executable_signing'
    ELSE 'unknown'
  END AS DetectionCategory,
  CASE
    WHEN LOWER("ParentImage") LIKE '%\\cmd.exe'
      OR LOWER("ParentImage") LIKE '%\\wscript.exe'
      OR LOWER("ParentImage") LIKE '%\\mshta.exe'
      OR LOWER("ParentImage") LIKE '%\\cscript.exe'
      OR LOWER("ParentImage") LIKE '%\\regsvr32.exe'
      OR LOWER("ParentImage") LIKE '%\\rundll32.exe'
      OR LOWER("ParentImage") LIKE '%\\msiexec.exe'
    THEN 1 ELSE 0
  END AS IsSuspiciousParent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    LOWER("ImagePath") LIKE '%\\makecert.exe'
    OR LOWER("ImagePath") LIKE '%\\pvk2pfx.exe'
    OR LOWER("ImagePath") LIKE '%\\signtool.exe'
    OR (
      LOWER("ImagePath") LIKE '%\\certutil.exe'
      AND (LOWER("CommandLine") LIKE '%-addstore%' OR LOWER("CommandLine") LIKE '%-importpfx%')
    )
    OR (
      LOWER("ImagePath") LIKE '%\\openssl.exe'
      AND (LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%' OR LOWER("CommandLine") LIKE '%extendedkeyusage%')
    )
    OR (
      (LOWER("ImagePath") LIKE '%\\powershell.exe' OR LOWER("ImagePath") LIKE '%\\pwsh.exe')
      AND (LOWER("CommandLine") LIKE '%new-selfsignedcertificate%' OR LOWER("CommandLine") LIKE '%export-pfxcertificate%' OR LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%')
    )
  )
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

QRadar with Windows Security Event Log DSM QRadar with Sysmon DSM Microsoft Windows endpoint log sources

Required Tables

events

False Positives

Developer workstations running legitimate build pipelines that use signtool or makecert for signing internal packages
PKI administrators using certutil to manage the enterprise certificate store
Security researchers or red team operators using OpenSSL on test hosts with proper authorization

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 1 or EventID = 4688
| parse regex field=CommandLine "(?P<cmdline>.+)"
| eval Image = toLowerCase(Image)
| eval CommandLine = toLowerCase(CommandLine)
| eval ParentImage = toLowerCase(ParentImage)
// Detection branches
| eval IsMakecert = if(Image matches ".*\\\\makecert\.exe$", 1, 0)
| eval IsPvk2pfx = if(Image matches ".*\\\\pvk2pfx\.exe$", 1, 0)
| eval IsSigntool = if(Image matches ".*\\\\signtool\.exe$" and CommandLine matches ".* sign.*", 1, 0)
| eval IsCertutil = if(
    Image matches ".*\\\\certutil\.exe$"
    and (CommandLine matches ".*-addstore.*" or CommandLine matches ".*-importpfx.*" or CommandLine matches ".*-add.*"),
    1, 0)
| eval IsOpenSSL = if(
    Image matches ".*\\\\openssl\.exe$"
    and (CommandLine matches ".* req .*" or CommandLine matches ".* x509 .*" or CommandLine matches ".*pkcs12.*" or CommandLine matches ".*genrsa.*" or CommandLine matches ".*genpkey.*")
    and (CommandLine matches ".*codesigning.*" or CommandLine matches ".*1\.3\.6\.1\.5\.5\.7\.3\.3.*" or CommandLine matches ".*extendedkeyusage.*" or CommandLine matches ".*-x509.*"),
    1, 0)
| eval IsPowerShellCert = if(
    (Image matches ".*\\\\powershell\.exe$" or Image matches ".*\\\\pwsh\.exe$")
    and (CommandLine matches ".*new-selfsignedcertificate.*" or CommandLine matches ".*export-pfxcertificate.*" or CommandLine matches ".*export-certificate.*" or CommandLine matches ".*x509certificate2.*" or CommandLine matches ".*certenroll.*" or CommandLine matches ".*codesigning.*" or CommandLine matches ".*1\.3\.6\.1\.5\.5\.7\.3\.3.*"),
    1, 0)
| eval SuspicionScore = IsMakecert + IsPvk2pfx + IsOpenSSL + IsPowerShellCert + IsCertutil + IsSigntool
| where SuspicionScore > 0
| eval DetectionCategory = if(IsMakecert=1, "makecert_native_sdk",
    if(IsPvk2pfx=1, "pvk2pfx_key_conversion",
    if(IsOpenSSL=1, "openssl_code_signing_cert",
    if(IsPowerShellCert=1, "powershell_cert_cmdlet",
    if(IsCertutil=1, "certutil_store_import",
    if(IsSigntool=1, "signtool_executable_signing", "multi_indicator"))))))
| eval IsSuspiciousParent = if(
    ParentImage matches ".*\\\\(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe$",
    1, 0)
| eval IsTempPath = if(
    CommandLine matches ".*\\\\(temp|appdata|downloads|public)\\\\.*",
    1, 0)
| table _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DetectionCategory, IsSuspiciousParent, IsTempPath, SuspicionScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Sysmon source Sumo Logic Windows Security Event Log source

Required Tables

Sysmon Event ID 1 Windows Security Event ID 4688

False Positives

Legitimate build systems generating code signing certificates for software products during release cycles
Enterprise IT administrators managing certificate lifecycle using certutil and makecert
Developer tools like Visual Studio or Azure DevOps pipelines calling signtool sign as part of automated workflows

Google Chronicle / SecOps

yaral

rule t1587_002_code_signing_cert_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1587.002 - self-signed code signing certificate creation and manipulation via Windows SDK tools, PowerShell PKI cmdlets, OpenSSL, certutil, and signtool"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1587.002"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""

    (
      // Branch 1: Native SDK tools
      re.regex($e.target.process.file.full_path, `(?i)\\(makecert|pvk2pfx)\.exe$`)

      // Branch 2: PowerShell certificate cmdlets
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(New-SelfSignedCertificate|Export-PfxCertificate|Export-Certificate|X509Certificate2|CertEnroll\.CX509|CertificateRequest|codeSigning|1\.3\.6\.1\.5\.5\.7\.3\.3)`)
      )

      // Branch 3: OpenSSL code signing cert creation
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\openssl\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\s(req|x509|pkcs12|genpkey|genrsa)\s`)
        and re.regex($e.target.process.command_line, `(?i)(codeSigning|1\.3\.6\.1\.5\.5\.7\.3\.3|extendedKeyUsage|-x509)`)
      )

      // Branch 4: certutil certificate store manipulation
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\certutil\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(-addstore|-importpfx|-add)`)
      )

      // Branch 5: signtool signing
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\signtool\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\ssign`)
      )
    )

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $is_suspicious_parent = if(
      re.regex($e.principal.process.file.full_path, `(?i)\\(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe$`),
      1, 0
    )
    $is_temp_path = if(
      re.regex($e.target.process.command_line, `(?i)\\(temp|appdata|downloads|public)\\`),
      1, 0
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle with Windows endpoint telemetry Chronicle Forwarder with Sysmon Chronicle UDM-normalized process events

Required Tables

UDM process events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Developer workstations with legitimate certificate signing workflows in SDLC pipelines
Security operations or PKI teams managing enterprise certificate infrastructure
Automated DevOps or CI/CD systems that build and sign software packages as part of normal release processes

CrowdStrike LogScale (CQL)

cql

// T1587.002 - Code Signing Certificate Creation and Manipulation
// CrowdStrike Falcon LogScale - ProcessRollup2 events

#event_simpleName=ProcessRollup2
| FileName = /(?i)(makecert\.exe|pvk2pfx\.exe|openssl\.exe|certutil\.exe|signtool\.exe|powershell\.exe|pwsh\.exe)/

// Evaluate each detection branch
| eval IsMakecert = if(FileName =~ "(?i)makecert\.exe", "true", "false")
| eval IsPvk2pfx = if(FileName =~ "(?i)pvk2pfx\.exe", "true", "false")
| eval IsSigntool = if(
    FileName =~ "(?i)signtool\.exe" and CommandLine =~ "(?i)\\ssign",
    "true", "false")
| eval IsCertutil = if(
    FileName =~ "(?i)certutil\.exe"
    and CommandLine =~ "(?i)(-addstore|-importpfx|-add)",
    "true", "false")
| eval IsOpenSSL = if(
    FileName =~ "(?i)openssl\.exe"
    and CommandLine =~ "(?i)\\s(req|x509|pkcs12|genpkey|genrsa)\\s"
    and CommandLine =~ "(?i)(codesigning|1\.3\.6\.1\.5\.5\.7\.3\.3|extendedkeyusage|-x509)",
    "true", "false")
| eval IsPowerShellCert = if(
    FileName =~ "(?i)(powershell|pwsh)\.exe"
    and CommandLine =~ "(?i)(new-selfsignedcertificate|export-pfxcertificate|export-certificate|x509certificate2|certenroll|codesigning|1\.3\.6\.1\.5\.5\.7\.3\.3)",
    "true", "false")

// Filter to only matched events
| where IsMakecert="true" or IsPvk2pfx="true" or IsSigntool="true" or IsCertutil="true" or IsOpenSSL="true" or IsPowerShellCert="true"

// Classify detection category
| eval DetectionCategory = case(
    IsMakecert="true", "makecert_native_sdk",
    IsPvk2pfx="true", "pvk2pfx_key_conversion",
    IsOpenSSL="true", "openssl_code_signing_cert",
    IsPowerShellCert="true", "powershell_cert_cmdlet",
    IsCertutil="true", "certutil_store_import",
    IsSigntool="true", "signtool_executable_signing",
    "multi_indicator")

// Flag suspicious parent processes
| eval IsSuspiciousParent = if(
    ParentBaseFileName =~ "(?i)(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe",
    "true", "false")

// Flag temp/staging path usage
| eval IsTempPath = if(
    CommandLine =~ "(?i)\\\\(temp|appdata|downloads|public)\\\\",
    "true", "false")

| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory, IsSuspiciousParent, IsTempPath
| sort timestamp desc

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection Falcon sensor ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives

Legitimate software development environments using signtool sign as part of build and release automation
Enterprise PKI administrators running certutil to manage the local machine or enterprise certificate stores
Security engineers or red teamers on authorized assessment hosts using OpenSSL to generate test certificates

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Code Signing Certificates

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections