T1587.002 Google Chronicle · YARA-L

Detect Code Signing Certificates in Google Chronicle

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.002 Code Signing Certificates
Canonical reference
https://attack.mitre.org/techniques/T1587/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1587_002_code_signing_cert_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1587.002 - self-signed code signing certificate creation and manipulation via Windows SDK tools, PowerShell PKI cmdlets, OpenSSL, certutil, and signtool"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1587.002"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""

    (
      // Branch 1: Native SDK tools
      re.regex($e.target.process.file.full_path, `(?i)\\(makecert|pvk2pfx)\.exe$`)

      // Branch 2: PowerShell certificate cmdlets
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(New-SelfSignedCertificate|Export-PfxCertificate|Export-Certificate|X509Certificate2|CertEnroll\.CX509|CertificateRequest|codeSigning|1\.3\.6\.1\.5\.5\.7\.3\.3)`)
      )

      // Branch 3: OpenSSL code signing cert creation
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\openssl\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\s(req|x509|pkcs12|genpkey|genrsa)\s`)
        and re.regex($e.target.process.command_line, `(?i)(codeSigning|1\.3\.6\.1\.5\.5\.7\.3\.3|extendedKeyUsage|-x509)`)
      )

      // Branch 4: certutil certificate store manipulation
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\certutil\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(-addstore|-importpfx|-add)`)
      )

      // Branch 5: signtool signing
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\signtool\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\ssign`)
      )
    )

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $is_suspicious_parent = if(
      re.regex($e.principal.process.file.full_path, `(?i)\\(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe$`),
      1, 0
    )
    $is_temp_path = if(
      re.regex($e.target.process.command_line, `(?i)\\(temp|appdata|downloads|public)\\`),
      1, 0
    )

  condition:
    $e
}
medium severity high confidence

Chronicle YARA-L 2.0 rule detecting T1587.002 certificate creation and manipulation. Covers all five detection branches from the reference detection using UDM process event fields. Enriches outcome with suspicious parent and temp path indicators.

Data Sources

Google Chronicle with Windows endpoint telemetryChronicle Forwarder with SysmonChronicle UDM-normalized process events

Required Tables

UDM process events (metadata.event_type = PROCESS_LAUNCH)

False Positives & Tuning

  • Developer workstations with legitimate certificate signing workflows in SDLC pipelines
  • Security operations or PKI teams managing enterprise certificate infrastructure
  • Automated DevOps or CI/CD systems that build and sign software packages as part of normal release processes
Download portable Sigma rule (.yml)

Other platforms for T1587.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Self-Signed Code Signing Certificate via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.

  2. Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU

    Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.

  3. Test 3Sign Executable with Self-Signed Certificate Using signtool.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.

  4. Test 4Import Self-Signed Certificate to Trusted Root Store via certutil

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.003Digital CertificatesT1587.004Exploits

Related Techniques

T1587Develop CapabilitiesT1553.002Code SigningT1588.003Code Signing CertificatesT1036MasqueradingT1036.001Invalid Code SignatureT1027Obfuscated Files or InformationT1195.002Compromise Software Supply ChainT1583Acquire InfrastructureT1486Data Encrypted for Impact

Same Tactic: Resource Development

Popular Detections