Detect Code Signing Certificates in Microsoft Sentinel
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.002 Code Signing Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1587/002/
KQL Detection Query
// T1587.002 — Code Signing Certificate Creation and Manipulation
// Multi-branch detection covering native SDK tools, PowerShell cmdlets, OpenSSL, certutil, and signtool
let LookbackPeriod = 24h;
let PowerShellCertKeywords = dynamic([
"New-SelfSignedCertificate",
"Export-PfxCertificate",
"Export-Certificate",
"X509Certificate2(",
"CertEnroll.CX509",
"CertificateRequest",
"codeSigning",
"1.3.6.1.5.5.7.3.3"
]);
// Branch 1: Windows SDK certificate tools (makecert, pvk2pfx)
let NativeSdkTools = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where (FileName =~ "makecert.exe")
or (FileName =~ "pvk2pfx.exe")
| extend DetectionBranch = case(
FileName =~ "makecert.exe", "MakeCert-NativeSDK",
FileName =~ "pvk2pfx.exe", "Pvk2Pfx-KeyConversion",
"Unknown"
);
// Branch 2: PowerShell certificate creation cmdlets
let PowerShellCert = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PowerShellCertKeywords)
| extend DetectionBranch = "PowerShell-CertCmdlet";
// Branch 3: OpenSSL code signing cert creation
let OpenSSLCert = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "openssl.exe"
| where ProcessCommandLine has_any ("req ", "x509 ", "pkcs12", "genpkey", "genrsa")
| where ProcessCommandLine has_any ("codeSigning", "1.3.6.1.5.5.7.3.3", "-x509", "extendedKeyUsage")
| extend DetectionBranch = "OpenSSL-CertCreation";
// Branch 4: certutil certificate store manipulation
let CertutilImport = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "-importpfx", "-add")
| extend DetectionBranch = "CertUtil-StoreImport";
// Branch 5: signtool signing operations
let SigntoolActivity = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "signtool.exe"
| where ProcessCommandLine has "sign"
| extend DetectionBranch = "SignTool-ExecutableSigning";
// Union all branches with normalized schema
NativeSdkTools
| union PowerShellCert
| union OpenSSLCert
| union CertutilImport
| union SigntoolActivity
| extend IsSuspiciousParent = InitiatingProcessFileName has_any (
"cmd.exe", "wscript.exe", "mshta.exe", "cscript.exe",
"regsvr32.exe", "rundll32.exe", "msiexec.exe"
)
| extend IsTempLocation = ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\Downloads\\", "\\Public\\")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, IsSuspiciousParent, IsTempLocation
| sort by Timestamp descMulti-branch detection for adversarial self-signed code signing certificate creation using Microsoft Defender for Endpoint tables. Branch 1 detects Windows SDK tools makecert.exe and pvk2pfx.exe which are rarely used outside development environments. Branch 2 targets PowerShell New-SelfSignedCertificate and related X.509 certificate creation cmdlets. Branch 3 identifies OpenSSL invocations with code signing EKU parameters. Branch 4 covers certutil -addstore and -importpfx operations that add untrusted certificates to Windows certificate stores. Branch 5 detects signtool.exe signing operations that follow certificate creation. Enrichment flags suspicious parent processes and temp directory usage to assist analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Software developers creating self-signed certificates for internal code signing during development and testing pipelines
- IT administrators managing internal PKI infrastructure and importing certificates to enterprise certificate stores
- CI/CD build systems (Jenkins, GitHub Actions runners, Azure DevOps agents) that create or use signing certificates as part of release automation
- Security tools such as Fiddler, Burp Suite, and Charles Proxy that create local CA certificates for TLS interception
- Certificate authority enrollment agents and autoenrollment services performing legitimate certutil operations
- macOS developers using codesign tooling through Windows Subsystem for Linux or cross-compilation environments
Other platforms for T1587.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Self-Signed Code Signing Certificate via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.
- Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU
Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.
- Test 3Sign Executable with Self-Signed Certificate Using signtool.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.
- Test 4Import Self-Signed Certificate to Trusted Root Store via certutil
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.
References (12)
- https://attack.mitre.org/techniques/T1587/002/
- https://en.wikipedia.org/wiki/Code_signing
- https://www.bitdefender.com/blog/labs/strongpity-apt-new-version-of-the-spyware-phone-targeted-victims-in-turkey-and-syria/
- https://unit42.paloaltonetworks.com/patchwork-apt-southeast-asia/
- https://www.welivesecurity.com/en/eset-research/evasive-panda-apt-group-monitoring-tibetans/
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
- https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.002/T1587.002.md
Unlock Pro Content
Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.