T1587.002 Splunk · SPL

Detect Code Signing Certificates in Splunk

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.002 Code Signing Certificates
Canonical reference
https://attack.mitre.org/techniques/T1587/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsMakecert=if(match(Image, "\\\\makecert\.exe$"), 1, 0)
| eval IsPvk2pfx=if(match(Image, "\\\\pvk2pfx\.exe$"), 1, 0)
| eval IsOpenSSL=if(
    match(Image, "\\\\openssl\.exe$")
    AND (match(CommandLine, "\sreq\s") OR match(CommandLine, "\sx509\s") OR match(CommandLine, "pkcs12") OR match(CommandLine, "genrsa") OR match(CommandLine, "genpkey"))
    AND (match(CommandLine, "codesigning") OR match(CommandLine, "1\.3\.6\.1\.5\.5\.7\.3\.3") OR match(CommandLine, "-x509") OR match(CommandLine, "extendedkeyusage")),
    1, 0)
| eval IsPowerShellCert=if(
    (match(Image, "\\\\powershell\.exe$") OR match(Image, "\\\\pwsh\.exe$"))
    AND match(CommandLine, "new-selfsignedcertificate|export-pfxcertificate|export-certificate|x509certificate2|certenroll\.cx509|certificaterequest|codesigning|1\.3\.6\.1\.5\.5\.7\.3\.3"),
    1, 0)
| eval IsCertutil=if(
    match(Image, "\\\\certutil\.exe$")
    AND match(CommandLine, "-addstore|-importpfx"),
    1, 0)
| eval IsSigntool=if(
    match(Image, "\\\\signtool\.exe$")
    AND match(CommandLine, "\ssign"),
    1, 0)
| eval SuspicionScore = IsMakecert + IsPvk2pfx + IsOpenSSL + IsPowerShellCert + IsCertutil + IsSigntool
| where SuspicionScore > 0
| eval DetectionCategory=case(
    IsMakecert=1, "makecert_native_sdk",
    IsPvk2pfx=1, "pvk2pfx_key_conversion",
    IsOpenSSL=1, "openssl_code_signing_cert",
    IsPowerShellCert=1, "powershell_cert_cmdlet",
    IsCertutil=1, "certutil_store_import",
    IsSigntool=1, "signtool_executable_signing",
    true(), "multi_indicator"
  )
| eval IsSuspiciousParent=if(
    match(ParentImage, "\\\\(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe$"),
    1, 0)
| eval IsTempPath=if(
    match(CommandLine, "\\\\(temp|appdata|downloads|public)\\\\"),
    1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionCategory, IsSuspiciousParent, IsTempPath, SuspicionScore
| sort - _time
medium severity medium confidence

Detects self-signed code signing certificate creation using Sysmon Event ID 1 (Process Creation) logs. Evaluates process image and command line against six detection categories: makecert.exe (Windows SDK), pvk2pfx.exe (key format conversion), openssl with code signing EKU arguments, PowerShell certificate creation cmdlets, certutil store import operations, and signtool signing activity. Each category is scored independently allowing analysts to prioritize multi-indicator events. Suspicious parent process and temp path flags provide additional triage context without requiring analyst lookups.

Data Sources

Process: Process CreationSysmon Event ID 1Sysmon Event ID 11Sysmon Event ID 12/13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software developers creating self-signed certificates for internal code signing during development and testing pipelines
  • IT administrators managing internal PKI infrastructure and importing certificates to enterprise certificate stores
  • CI/CD build systems (Jenkins, GitHub Actions runners, Azure DevOps agents) that create or use signing certificates as part of release automation
  • Security tools such as Fiddler, Burp Suite, and Charles Proxy that create local CA certificates for TLS interception
  • Certificate authority enrollment agents and autoenrollment services performing legitimate certutil operations
  • macOS developers using codesign tooling through Windows Subsystem for Linux or cross-compilation environments
Download portable Sigma rule (.yml)

Other platforms for T1587.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Self-Signed Code Signing Certificate via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.

  2. Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU

    Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.

  3. Test 3Sign Executable with Self-Signed Certificate Using signtool.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.

  4. Test 4Import Self-Signed Certificate to Trusted Root Store via certutil

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.003Digital CertificatesT1587.004Exploits

Related Techniques

T1587Develop CapabilitiesT1553.002Code SigningT1588.003Code Signing CertificatesT1036MasqueradingT1036.001Invalid Code SignatureT1027Obfuscated Files or InformationT1195.002Compromise Software Supply ChainT1583Acquire InfrastructureT1486Data Encrypted for Impact

Same Tactic: Resource Development

Popular Detections