T1587.002 IBM QRadar · QRadar

Detect Code Signing Certificates in IBM QRadar

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.002 Code Signing Certificates
Canonical reference
https://attack.mitre.org/techniques/T1587/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username,
  sourceip,
  "hostname",
  QIDNAME(qid) AS EventName,
  "ImagePath",
  "CommandLine",
  "ParentImage",
  CASE
    WHEN LOWER("ImagePath") LIKE '%\\makecert.exe' THEN 'makecert_native_sdk'
    WHEN LOWER("ImagePath") LIKE '%\\pvk2pfx.exe' THEN 'pvk2pfx_key_conversion'
    WHEN (LOWER("ImagePath") LIKE '%\\openssl.exe'
      AND (LOWER("CommandLine") LIKE '% req %' OR LOWER("CommandLine") LIKE '% x509 %' OR LOWER("CommandLine") LIKE '%pkcs12%' OR LOWER("CommandLine") LIKE '%genrsa%' OR LOWER("CommandLine") LIKE '%genpkey%')
      AND (LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%' OR LOWER("CommandLine") LIKE '%-x509%' OR LOWER("CommandLine") LIKE '%extendedkeyusage%'))
      THEN 'openssl_code_signing_cert'
    WHEN ((LOWER("ImagePath") LIKE '%\\powershell.exe' OR LOWER("ImagePath") LIKE '%\\pwsh.exe')
      AND (LOWER("CommandLine") LIKE '%new-selfsignedcertificate%' OR LOWER("CommandLine") LIKE '%export-pfxcertificate%' OR LOWER("CommandLine") LIKE '%export-certificate%' OR LOWER("CommandLine") LIKE '%x509certificate2%' OR LOWER("CommandLine") LIKE '%certenroll%' OR LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%'))
      THEN 'powershell_cert_cmdlet'
    WHEN (LOWER("ImagePath") LIKE '%\\certutil.exe'
      AND (LOWER("CommandLine") LIKE '%-addstore%' OR LOWER("CommandLine") LIKE '%-importpfx%'))
      THEN 'certutil_store_import'
    WHEN (LOWER("ImagePath") LIKE '%\\signtool.exe' AND LOWER("CommandLine") LIKE '% sign%')
      THEN 'signtool_executable_signing'
    ELSE 'unknown'
  END AS DetectionCategory,
  CASE
    WHEN LOWER("ParentImage") LIKE '%\\cmd.exe'
      OR LOWER("ParentImage") LIKE '%\\wscript.exe'
      OR LOWER("ParentImage") LIKE '%\\mshta.exe'
      OR LOWER("ParentImage") LIKE '%\\cscript.exe'
      OR LOWER("ParentImage") LIKE '%\\regsvr32.exe'
      OR LOWER("ParentImage") LIKE '%\\rundll32.exe'
      OR LOWER("ParentImage") LIKE '%\\msiexec.exe'
    THEN 1 ELSE 0
  END AS IsSuspiciousParent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    LOWER("ImagePath") LIKE '%\\makecert.exe'
    OR LOWER("ImagePath") LIKE '%\\pvk2pfx.exe'
    OR LOWER("ImagePath") LIKE '%\\signtool.exe'
    OR (
      LOWER("ImagePath") LIKE '%\\certutil.exe'
      AND (LOWER("CommandLine") LIKE '%-addstore%' OR LOWER("CommandLine") LIKE '%-importpfx%')
    )
    OR (
      LOWER("ImagePath") LIKE '%\\openssl.exe'
      AND (LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%' OR LOWER("CommandLine") LIKE '%extendedkeyusage%')
    )
    OR (
      (LOWER("ImagePath") LIKE '%\\powershell.exe' OR LOWER("ImagePath") LIKE '%\\pwsh.exe')
      AND (LOWER("CommandLine") LIKE '%new-selfsignedcertificate%' OR LOWER("CommandLine") LIKE '%export-pfxcertificate%' OR LOWER("CommandLine") LIKE '%codesigning%' OR LOWER("CommandLine") LIKE '%1.3.6.1.5.5.7.3.3%')
    )
  )
ORDER BY starttime DESC
medium severity medium confidence

QRadar AQL detection for T1587.002 covering certificate creation tools, PowerShell PKI cmdlets, OpenSSL with code signing EKU, certutil store manipulation, and signtool signing. Enriches each event with detection category and suspicious parent process flag.

Data Sources

QRadar with Windows Security Event Log DSMQRadar with Sysmon DSMMicrosoft Windows endpoint log sources

Required Tables

events

False Positives & Tuning

  • Developer workstations running legitimate build pipelines that use signtool or makecert for signing internal packages
  • PKI administrators using certutil to manage the enterprise certificate store
  • Security researchers or red team operators using OpenSSL on test hosts with proper authorization
Download portable Sigma rule (.yml)

Other platforms for T1587.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Self-Signed Code Signing Certificate via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.

  2. Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU

    Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.

  3. Test 3Sign Executable with Self-Signed Certificate Using signtool.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.

  4. Test 4Import Self-Signed Certificate to Trusted Root Store via certutil

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.003Digital CertificatesT1587.004Exploits

Related Techniques

T1587Develop CapabilitiesT1553.002Code SigningT1588.003Code Signing CertificatesT1036MasqueradingT1036.001Invalid Code SignatureT1027Obfuscated Files or InformationT1195.002Compromise Software Supply ChainT1583Acquire InfrastructureT1486Data Encrypted for Impact

Same Tactic: Resource Development

Popular Detections