Detect Code Signing Certificates in Sumo Logic CSE
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.002 Code Signing Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1587/002/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 1 or EventID = 4688
| parse regex field=CommandLine "(?P<cmdline>.+)"
| eval Image = toLowerCase(Image)
| eval CommandLine = toLowerCase(CommandLine)
| eval ParentImage = toLowerCase(ParentImage)
// Detection branches
| eval IsMakecert = if(Image matches ".*\\\\makecert\.exe$", 1, 0)
| eval IsPvk2pfx = if(Image matches ".*\\\\pvk2pfx\.exe$", 1, 0)
| eval IsSigntool = if(Image matches ".*\\\\signtool\.exe$" and CommandLine matches ".* sign.*", 1, 0)
| eval IsCertutil = if(
Image matches ".*\\\\certutil\.exe$"
and (CommandLine matches ".*-addstore.*" or CommandLine matches ".*-importpfx.*" or CommandLine matches ".*-add.*"),
1, 0)
| eval IsOpenSSL = if(
Image matches ".*\\\\openssl\.exe$"
and (CommandLine matches ".* req .*" or CommandLine matches ".* x509 .*" or CommandLine matches ".*pkcs12.*" or CommandLine matches ".*genrsa.*" or CommandLine matches ".*genpkey.*")
and (CommandLine matches ".*codesigning.*" or CommandLine matches ".*1\.3\.6\.1\.5\.5\.7\.3\.3.*" or CommandLine matches ".*extendedkeyusage.*" or CommandLine matches ".*-x509.*"),
1, 0)
| eval IsPowerShellCert = if(
(Image matches ".*\\\\powershell\.exe$" or Image matches ".*\\\\pwsh\.exe$")
and (CommandLine matches ".*new-selfsignedcertificate.*" or CommandLine matches ".*export-pfxcertificate.*" or CommandLine matches ".*export-certificate.*" or CommandLine matches ".*x509certificate2.*" or CommandLine matches ".*certenroll.*" or CommandLine matches ".*codesigning.*" or CommandLine matches ".*1\.3\.6\.1\.5\.5\.7\.3\.3.*"),
1, 0)
| eval SuspicionScore = IsMakecert + IsPvk2pfx + IsOpenSSL + IsPowerShellCert + IsCertutil + IsSigntool
| where SuspicionScore > 0
| eval DetectionCategory = if(IsMakecert=1, "makecert_native_sdk",
if(IsPvk2pfx=1, "pvk2pfx_key_conversion",
if(IsOpenSSL=1, "openssl_code_signing_cert",
if(IsPowerShellCert=1, "powershell_cert_cmdlet",
if(IsCertutil=1, "certutil_store_import",
if(IsSigntool=1, "signtool_executable_signing", "multi_indicator"))))))
| eval IsSuspiciousParent = if(
ParentImage matches ".*\\\\(cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec)\.exe$",
1, 0)
| eval IsTempPath = if(
CommandLine matches ".*\\\\(temp|appdata|downloads|public)\\\\.*",
1, 0)
| table _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DetectionCategory, IsSuspiciousParent, IsTempPath, SuspicionScore
| sort by _messageTime descSumo Logic detection for T1587.002 using Sysmon Event ID 1 or Windows Security 4688 process creation events. Scores each event across five certificate manipulation branches and enriches with suspicious parent and temp path indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate build systems generating code signing certificates for software products during release cycles
- Enterprise IT administrators managing certificate lifecycle using certutil and makecert
- Developer tools like Visual Studio or Azure DevOps pipelines calling signtool sign as part of automated workflows
Other platforms for T1587.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Self-Signed Code Signing Certificate via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-SelfSignedCertificate' and the spoofed Subject. PowerShell ScriptBlock Log Event ID 4104 capturing the full cmdlet invocation with parameters. Sysmon Event ID 11: File Create for df00tech-codesign.pfx in %TEMP%. Sysmon Event ID 13: Registry value set in HKCU\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<thumbprint>.
- Test 2Create Self-Signed Certificate Using OpenSSL with Code Signing EKU
Expected signal: Sysmon Event ID 1: Two Process Create events — openssl.exe with 'req -x509' and 'extendedKeyUsage=codeSigning' arguments, then openssl.exe with 'pkcs12 -export' arguments. Sysmon Event ID 11: File Creates for df00tech-key.pem, df00tech-cert.pem, df00tech-adobe.pfx in %TEMP%.
- Test 3Sign Executable with Self-Signed Certificate Using signtool.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=signtool.exe, CommandLine containing 'sign' and '/f %TEMP%\df00tech-codesign.pfx'. Sysmon Event ID 11: File modification event for df00tech-signed.exe (PE authenticode signature appended). Security Event ID 4688 (if process command line auditing enabled) capturing full signtool invocation.
- Test 4Import Self-Signed Certificate to Trusted Root Store via certutil
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore' and 'Root'. Sysmon Event ID 13: Registry value set in HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Security Event ID 4657 (registry value modification) if object access auditing is enabled for HKLM\SOFTWARE\Microsoft\SystemCertificates.
References (12)
- https://attack.mitre.org/techniques/T1587/002/
- https://en.wikipedia.org/wiki/Code_signing
- https://www.bitdefender.com/blog/labs/strongpity-apt-new-version-of-the-spyware-phone-targeted-victims-in-turkey-and-syria/
- https://unit42.paloaltonetworks.com/patchwork-apt-southeast-asia/
- https://www.welivesecurity.com/en/eset-research/evasive-panda-apt-group-monitoring-tibetans/
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
- https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.002/T1587.002.md
Unlock Pro Content
Get the full detection package for T1587.002 including response playbook, investigation guide, and atomic red team tests.