Detect Code Signing Certificates in Elastic Security
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.002 Code Signing Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1587/002/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start" and (
process.name : ("makecert.exe", "pvk2pfx.exe") or
(process.name : ("powershell.exe", "pwsh.exe") and
process.args : ("New-SelfSignedCertificate", "Export-PfxCertificate", "Export-Certificate", "X509Certificate2", "CertEnroll.CX509", "codeSigning", "1.3.6.1.5.5.7.3.3")) or
(process.name : "openssl.exe" and
process.args : ("req", "x509", "pkcs12", "genpkey", "genrsa") and
process.args : ("codeSigning", "1.3.6.1.5.5.7.3.3", "-x509", "extendedKeyUsage")) or
(process.name : "certutil.exe" and process.args : ("-addstore", "-importpfx", "-add")) or
(process.name : "signtool.exe" and process.args : "sign")
)]Detects code signing certificate creation and manipulation activity associated with T1587.002. Covers native Windows SDK tools (makecert, pvk2pfx), PowerShell certificate cmdlets, OpenSSL cert generation with code signing EKU, certutil store imports, and signtool signing operations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software developers creating self-signed certificates for internal testing or development builds
- Enterprise PKI administrators using makecert or pvk2pfx for certificate management tasks
- Security tooling or CI/CD pipelines that sign internal builds using signtool as part of automated release pipelines
Other platforms for T1587.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Self-Signed Code Signing Certificate via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.
- Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU
Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.
- Test 3Sign Executable with Self-Signed Certificate Using signtool.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.
- Test 4Import Self-Signed Certificate to Trusted Root Store via certutil
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.
References (12)
- https://attack.mitre.org/techniques/T1587/002/
- https://en.wikipedia.org/wiki/Code_signing
- https://www.bitdefender.com/blog/labs/strongpity-apt-new-version-of-the-spyware-phone-targeted-victims-in-turkey-and-syria/
- https://unit42.paloaltonetworks.com/patchwork-apt-southeast-asia/
- https://www.welivesecurity.com/en/eset-research/evasive-panda-apt-group-monitoring-tibetans/
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
- https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.002/T1587.002.md
Unlock Pro Content
Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.