Detect Code Signing Certificates in CrowdStrike LogScale
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.002 Code Signing Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1587/002/
LogScale Detection Query
// T1587.002 - Code Signing Certificate Creation and Manipulation
// CrowdStrike Falcon LogScale - ProcessRollup2 events
#event_simpleName=ProcessRollup2
| FileName = /(?i)(makecert\.exe|pvk2pfx\.exe|openssl\.exe|certutil\.exe|signtool\.exe|powershell\.exe|pwsh\.exe)/
// Evaluate each detection branch
| eval IsMakecert = if(FileName =~ "(?i)makecert\.exe", "true", "false")
| eval IsPvk2pfx = if(FileName =~ "(?i)pvk2pfx\.exe", "true", "false")
| eval IsSigntool = if(
FileName =~ "(?i)signtool\.exe" and CommandLine =~ "(?i)\\ssign",
"true", "false")
| eval IsCertutil = if(
FileName =~ "(?i)certutil\.exe"
and CommandLine =~ "(?i)(-addstore|-importpfx|-add)",
"true", "false")
| eval IsOpenSSL = if(
FileName =~ "(?i)openssl\.exe"
and CommandLine =~ "(?i)\\s(req|x509|pkcs12|genpkey|genrsa)\\s"
and CommandLine =~ "(?i)(codesigning|1\.3\.6\.1\.5\.5\.7\.3\.3|extendedkeyusage|-x509)",
"true", "false")
| eval IsPowerShellCert = if(
FileName =~ "(?i)(powershell|pwsh)\.exe"
and CommandLine =~ "(?i)(new-selfsignedcertificate|export-pfxcertificate|export-certificate|x509certificate2|certenroll|codesigning|1\.3\.6\.1\.5\.5\.7\.3\.3)",
"true", "false")
// Filter to only matched events
| where IsMakecert="true" or IsPvk2pfx="true" or IsSigntool="true" or IsCertutil="true" or IsOpenSSL="true" or IsPowerShellCert="true"
// Classify detection category
| eval DetectionCategory = case(
IsMakecert="true", "makecert_native_sdk",
IsPvk2pfx="true", "pvk2pfx_key_conversion",
IsOpenSSL="true", "openssl_code_signing_cert",
IsPowerShellCert="true", "powershell_cert_cmdlet",
IsCertutil="true", "certutil_store_import",
IsSigntool="true", "signtool_executable_signing",
"multi_indicator")
// Flag suspicious parent processes
| eval IsSuspiciousParent = if(
ParentBaseFileName =~ "(?i)(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe",
"true", "false")
// Flag temp/staging path usage
| eval IsTempPath = if(
CommandLine =~ "(?i)\\\\(temp|appdata|downloads|public)\\\\",
"true", "false")
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory, IsSuspiciousParent, IsTempPath
| sort timestamp descCrowdStrike Falcon LogScale detection for T1587.002 using ProcessRollup2 events. Covers all five detection branches from the reference detection: native SDK tools, PowerShell PKI cmdlets, OpenSSL certificate generation, certutil store manipulation, and signtool signing operations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software development environments using signtool sign as part of build and release automation
- Enterprise PKI administrators running certutil to manage the local machine or enterprise certificate stores
- Security engineers or red teamers on authorized assessment hosts using OpenSSL to generate test certificates
Other platforms for T1587.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Self-Signed Code Signing Certificate via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.
- Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU
Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.
- Test 3Sign Executable with Self-Signed Certificate Using signtool.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.
- Test 4Import Self-Signed Certificate to Trusted Root Store via certutil
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.
References (12)
- https://attack.mitre.org/techniques/T1587/002/
- https://en.wikipedia.org/wiki/Code_signing
- https://www.bitdefender.com/blog/labs/strongpity-apt-new-version-of-the-spyware-phone-targeted-victims-in-turkey-and-syria/
- https://unit42.paloaltonetworks.com/patchwork-apt-southeast-asia/
- https://www.welivesecurity.com/en/eset-research/evasive-panda-apt-group-monitoring-tibetans/
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
- https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.002/T1587.002.md
Unlock Pro Content
Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.