T1588.003

Code Signing Certificates

Adversaries may buy and/or steal code signing certificates to sign malicious payloads, enabling their software to appear legitimate and bypass security controls that trust signed code. Code signing provides authenticity guarantees that cause users and security tools to trust signed executables more readily than unsigned binaries. Adversaries purchase certificates using front organizations or stolen identity information, or directly steal signing materials from compromised third parties. Real-world threat actors including Wizard Spider (DigiCert, GlobalSign certs), OilRig, BlackTech, MegaCortex (fake company certificates), and Kimsuky have all leveraged stolen or fraudulently-obtained code signing certificates. Detection pivots to observable artifacts when signed malicious code executes in the environment: certificate anomalies (revoked, expired, recently-issued, or from unusual certificate authorities), discrepancies between file metadata and certificate subjects, Windows Code Integrity enforcement events, and low-prevalence signed executables executing from user-writable paths.

Microsoft Sentinel / Defender

kusto

// Detect execution of signed binaries with suspicious certificate characteristics
// Requires Microsoft Defender for Endpoint with DeviceFileCertificateInfo telemetry
let KnownTrustedPublishers = dynamic([
    "Microsoft Corporation", "Microsoft Windows", "Google LLC", "Adobe Inc.",
    "Oracle America", "Mozilla Corporation", "Cisco Systems", "VMware, Inc.",
    "Intel Corporation", "NVIDIA Corporation", "Apple Inc.", "Amazon.com"
]);
let SuspiciousFolders = dynamic([
    "\\AppData\\", "\\Temp\\", "\\Downloads\\", "\\Users\\Public\\",
    "\\ProgramData\\", "\\Roaming\\", "\\Local\\Temp\\"
]);
// Identify signed files with certificate trust issues
let SuspiciousCerts = DeviceFileCertificateInfo
| where Timestamp > ago(24h)
| where IsSigned == true
| where IsTrusted == false
      or (CertificateExpirationTime < now() and CertificateExpirationTime > datetime(2000-01-01))
| project SHA1, Issuer, Subject, CertificateExpirationTime,
         IsTrusted, SignatureType, CertificateSerialNumber, CrlDistributionPointUrl;
// Join with process executions from user-writable suspicious paths
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (SuspiciousFolders)
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "SenseCnfgr.exe", "SenseIR.exe")
| join kind=inner SuspiciousCerts on SHA1
| extend CertExpired = CertificateExpirationTime < now()
| extend CertUntrusted = IsTrusted == false
| extend KnownPublisher = Subject has_any (KnownTrustedPublishers)
| extend RiskIndicators = toint(CertExpired) + toint(CertUntrusted) + toint(not(KnownPublisher))
| where RiskIndicators >= 1
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         Issuer, Subject, CertificateExpirationTime, CertExpired, CertUntrusted,
         SignatureType, CertificateSerialNumber, RiskIndicators
| sort by RiskIndicators desc, Timestamp desc

high severity medium confidence

Data Sources

File: File Metadata Process: Process Creation Microsoft Defender for Endpoint — DeviceFileCertificateInfo

Required Tables

DeviceFileCertificateInfo DeviceProcessEvents

False Positives

Legitimate enterprise applications signed with internal PKI certificates not in the global trusted root CA store — these will appear as IsTrusted=false
Software vendors whose code signing certificates have recently expired but the binaries remain deployed across the enterprise
Open-source software distributed with certificates from lesser-known certificate authorities that are not pre-trusted by Windows
Security testing and penetration testing tools legitimately signed by small vendors or individual researchers
Development and staging environments where test-signed or debug-built binaries execute frequently from non-standard paths
Software after CA revocation events (e.g., DigiCert mass revocations) where legitimate vendor certificates become temporarily invalid before re-signing and redeployment

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| where Signed="true"
| where SignatureStatus!="Valid"
| eval CertAnomalyType=case(
    SignatureStatus="Revoked", "Revoked Certificate — HIGH PRIORITY",
    SignatureStatus="Expired", "Expired Certificate",
    SignatureStatus="Invalid", "Invalid Signature",
    SignatureStatus="NotFound", "Signature Not Found",
    true(), "Unknown Certificate Issue"
  )
| eval SuspiciousPath=if(
    match(ImageLoaded, "(?i)(\\\\AppData\\\\|\\\\Temp\\\\|\\\\Downloads\\\\|\\\\Users\\\\Public\\\\|\\\\ProgramData\\\\)"),
    1, 0
  )
| eval NotSystemPath=if(
    NOT match(ImageLoaded, "(?i)(\\\\Windows\\\\System32|\\\\Windows\\\\SysWOW64|\\\\Program Files|\\\\Program Files \\(x86\\))"),
    1, 0
  )
| eval KnownPublisher=if(
    match(Signature, "(?i)(Microsoft|Google|Adobe|Oracle|Intel|NVIDIA|Cisco|VMware|Apple|Amazon)"),
    1, 0
  )
| eval RiskScore=SuspiciousPath + NotSystemPath + if(SignatureStatus="Revoked", 3, 0) + if(KnownPublisher=0, 1, 0)
| where RiskScore >= 1
| table _time, host, User, Image, ImageLoaded, Signature, SignatureStatus,
        CertAnomalyType, SuspiciousPath, NotSystemPath, KnownPublisher, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Module: Module Load Sysmon Event ID 7 (Image Loaded)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise applications signed with internal PKI certificates not globally trusted — Signature field will show internal CA names
Third-party software with expired code signing certificates still deployed and functional in the environment
Antivirus and endpoint security products loading drivers with unusual signing chains during startup
Development machines where test-signed or debug-built binaries load frequently
Software immediately after a CA revocation event where legitimate vendor binaries become temporarily flagged before re-signing and redeployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  devicehostname AS Hostname,
  username AS UserName,
  "Image" AS ProcessPath,
  "ImageLoaded" AS LoadedModulePath,
  "Signature" AS CertificateSubject,
  "SignatureStatus" AS CertStatus,
  CASE
    WHEN "SignatureStatus" = 'Revoked' THEN 3
    WHEN "SignatureStatus" IN ('Expired', 'Invalid') THEN 2
    ELSE 1
  END +
  CASE
    WHEN "Signature" NOT ILIKE '%Microsoft%'
     AND "Signature" NOT ILIKE '%Google%'
     AND "Signature" NOT ILIKE '%Adobe%'
     AND "Signature" NOT ILIKE '%Intel%'
     AND "Signature" NOT ILIKE '%NVIDIA%'
     AND "Signature" NOT ILIKE '%Oracle%'
     AND "Signature" NOT ILIKE '%Cisco%'
     AND "Signature" NOT ILIKE '%VMware%'
    THEN 1
    ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 7
  AND "Signed" = 'true'
  AND "SignatureStatus" NOT IN ('Valid')
  AND (
    "ImageLoaded" ILIKE '%\\AppData\\%'
    OR "ImageLoaded" ILIKE '%\\Temp\\%'
    OR "ImageLoaded" ILIKE '%\\Downloads\\%'
    OR "ImageLoaded" ILIKE '%\\Users\\Public\\%'
    OR "ImageLoaded" ILIKE '%\\ProgramData\\%'
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC

high severity medium confidence

Data Sources

IBM QRadar with WinCollect agent collecting Sysmon Operational log Microsoft Windows Sysmon Universal DSM for QRadar (custom properties required) QRadar custom event properties: Image, ImageLoaded, Signature, SignatureStatus, Signed

Required Tables

events (QRadar normalized event pipeline)

False Positives

Developer workstations loading self-compiled or test-signed DLLs from project directories under AppData or user-profile temp folders during active software development — particularly common in CI/CD agent environments
Corporate endpoint security products (CrowdStrike, Carbon Black, SentinelOne) that load signed sensor modules or response tooling from unconventional paths during version updates or live response operations
Portable software distributed as single executables (7-Zip portable, SysInternals tools) run directly from user Downloads folders, particularly from smaller ISVs whose root CA QRadar DSM does not explicitly enumerate as known-good

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* EventCode=7
| where Signed = "true"
| where SignatureStatus != "Valid"
| eval CertAnomalyType = if(SignatureStatus = "Revoked",
    "Revoked Certificate - HIGH PRIORITY",
    if(SignatureStatus = "Expired", "Expired Certificate",
    if(SignatureStatus = "Invalid", "Invalid Signature",
    "Unknown Certificate Issue")))
| eval SuspiciousPath = if(
    ImageLoaded matches "(?i).*\\\\AppData\\\\.*"
    or ImageLoaded matches "(?i).*\\\\Temp\\\\.*"
    or ImageLoaded matches "(?i).*\\\\Downloads\\\\.*"
    or ImageLoaded matches "(?i).*\\\\Users\\\\Public\\\\.*"
    or ImageLoaded matches "(?i).*\\\\ProgramData\\\\.*"
    , 1, 0)
| eval KnownPublisher = if(
    Signature matches "(?i).*(Microsoft|Google|Adobe|Oracle|Intel|NVIDIA|Cisco|VMware|Apple|Amazon).*"
    , 1, 0)
| eval RiskScore = SuspiciousPath
    + if(SignatureStatus = "Revoked", 3, 0)
    + if(KnownPublisher = 0, 1, 0)
| where RiskScore >= 1
| fields _messageTime, host, User, Image, ImageLoaded, Signature, SignatureStatus, CertAnomalyType, SuspiciousPath, KnownPublisher, RiskScore
| sort by RiskScore, _messageTime

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Microsoft-Windows-Sysmon/Operational) Sumo Logic Cloud SIEM Enterprise (CSE) with Windows normalized event schema

Required Tables

Sysmon Operational Event Log (EventCode=7, _sourceCategory=*windows*sysmon*)

False Positives

Legitimate user-installed consumer applications (Slack, Discord, Steam, Epic Games Launcher) executing signed DLLs from AppData subdirectories where minor certificate chain issues — such as a missing intermediate CA — cause Sysmon to report SignatureStatus as Invalid rather than Valid
IT software deployment tools (SCCM client, Intune Management Extension) temporarily staging signed MSI packages or DLLs under ProgramData during MDM-managed installation workflows before the installer relocates binaries to their final destination
In-house enterprise applications signed with certificates from an internal PKI whose root CA is not enrolled in the OS or Sysmon trust evaluation path — common in organizations with complex multi-tier PKI hierarchies or air-gapped internal CAs

Google Chronicle / SecOps

yaral

rule t1588_003_suspicious_cert_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects signed executables with anomalous certificate status (revoked, expired, invalid, untrusted root) executing from user-writable paths — T1588.003"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1588/003/"
    created = "2024-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $e.target.process.file.full_path,
      `(?i)(\\AppData\\|\\Temp\\|\\Downloads\\|\\Users\\Public\\|\\ProgramData\\)`
    )
    (
      $e.target.file.authenticode.trusted_by_os = false
      or $e.target.file.authenticode.result = "SIGNATURE_EXPIRED"
      or $e.target.file.authenticode.result = "SIGNATURE_REVOKED"
      or $e.target.file.authenticode.result = "SIGNATURE_UNTRUSTED_ROOT"
      or $e.target.file.authenticode.result = "SIGNATURE_INVALID"
    )
    not re.regex(
      $e.target.file.authenticode.signer,
      `(?i)(Microsoft Corporation|Microsoft Windows|Google LLC|Adobe Inc|Oracle America|Intel Corporation|NVIDIA|Cisco Systems|VMware|Apple Inc|Amazon\.com)`
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle with Windows Sysmon forwarding via Chronicle Forwarder or BindPlane Chronicle Unified Data Model PROCESS_LAUNCH events with Authenticode enrichment enabled Chronicle Windows Event Log parser (UDM target.file.authenticode.* fields)

Required Tables

UDM events stream (metadata.event_type = PROCESS_LAUNCH)

False Positives

Enterprise applications deployed via user-profile-based software delivery mechanisms where the signing certificate chain includes an intermediate CA that Chronicle's UDM Authenticode enrichment cannot fully resolve to a known trusted root, causing trusted_by_os to be populated as false
Legitimate portable executables downloaded and run directly from the Downloads folder — particularly open-source tooling and utilities from smaller ISVs — where the signer name does not match any entry in the known-publisher exclusion regex
SOC analysts or IR responders executing signed forensic tools (Sysinternals, Velociraptor, KAPE) directly from their own Downloads or Desktop folders during incident investigation activities on monitored endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\AppData\\|\\Temp\\|\\Downloads\\|\\Users\\Public\\|\\ProgramData\\)/
| ImageFileName != /(?i)(\\Windows\\System32|\\Windows\\SysWOW64|\\Program Files|\\Program Files \(x86\))/
| UserName != /^(SYSTEM|LOCAL SERVICE|NETWORK SERVICE)$/
| case {
    SignInfoFlags = "4"  | CertStatus := "REVOKED" ;
    SignInfoFlags = "8"  | CertStatus := "EXPIRED" ;
    SignInfoFlags = "2"  | CertStatus := "UNTRUSTED" ;
    SignInfoFlags = "16" | CertStatus := "INVALID" ;
    *                    | CertStatus := "UNKNOWN"
  }
| CertStatus = /^(REVOKED|EXPIRED|UNTRUSTED|INVALID)$/
| SignerName != /(?i)(Microsoft|Google LLC|Adobe|Oracle|Intel|NVIDIA|Cisco|VMware|Apple|Amazon)/
| groupBy(
    [ComputerName, UserName, ImageFileName, SHA256HashData, SignerName, CertStatus],
    function=[
      count(as=ExecutionCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(ExecutionCount, order=asc)
| head(500)

high severity low confidence

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 sensor telemetry (sensor 7.x+) CrowdStrike Falcon NG-SIEM (LogScale/Humio) event pipeline

Required Tables

Falcon telemetry stream (#event_simpleName=ProcessRollup2)

False Positives

Legitimate portable applications distributed as self-contained executables and run directly from user Downloads folders — particularly common for open-source utilities, SysInternals tools, and developer tooling — where SignInfoFlags may reflect a non-standard trust chain rather than actual malicious certificate abuse
Corporate MDM or endpoint management systems (Intune, SCCM, Tanium) that provision signed software packages to ProgramData or AppData staging areas prior to installation completion, causing transient detections before binaries are relocated to standard Program Files paths
Authorized red team or penetration testing tooling signed with legitimately-obtained or expired test certificates executed from temporary staging directories on endpoints during documented security assessments — coordinate with red team to suppress known tool hashes during engagements

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1588.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001Malware T1588.002Tool T1588.004Digital Certificates T1588.005Exploits T1588.006Vulnerabilities T1588.007Artificial Intelligence

Code Signing Certificates

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections