T1588.003 IBM QRadar · QRadar

Detect Code Signing Certificates in IBM QRadar

Adversaries may buy and/or steal code signing certificates to sign malicious payloads, enabling their software to appear legitimate and bypass security controls that trust signed code. Code signing provides authenticity guarantees that cause users and security tools to trust signed executables more readily than unsigned binaries. Adversaries purchase certificates using front organizations or stolen identity information, or directly steal signing materials from compromised third parties. Real-world threat actors including Wizard Spider (DigiCert, GlobalSign certs), OilRig, BlackTech, MegaCortex (fake company certificates), and Kimsuky have all leveraged stolen or fraudulently-obtained code signing certificates. Detection pivots to observable artifacts when signed malicious code executes in the environment: certificate anomalies (revoked, expired, recently-issued, or from unusual certificate authorities), discrepancies between file metadata and certificate subjects, Windows Code Integrity enforcement events, and low-prevalence signed executables executing from user-writable paths.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.003 Code Signing Certificates
Canonical reference
https://attack.mitre.org/techniques/T1588/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  devicehostname AS Hostname,
  username AS UserName,
  "Image" AS ProcessPath,
  "ImageLoaded" AS LoadedModulePath,
  "Signature" AS CertificateSubject,
  "SignatureStatus" AS CertStatus,
  CASE
    WHEN "SignatureStatus" = 'Revoked' THEN 3
    WHEN "SignatureStatus" IN ('Expired', 'Invalid') THEN 2
    ELSE 1
  END +
  CASE
    WHEN "Signature" NOT ILIKE '%Microsoft%'
     AND "Signature" NOT ILIKE '%Google%'
     AND "Signature" NOT ILIKE '%Adobe%'
     AND "Signature" NOT ILIKE '%Intel%'
     AND "Signature" NOT ILIKE '%NVIDIA%'
     AND "Signature" NOT ILIKE '%Oracle%'
     AND "Signature" NOT ILIKE '%Cisco%'
     AND "Signature" NOT ILIKE '%VMware%'
    THEN 1
    ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 7
  AND "Signed" = 'true'
  AND "SignatureStatus" NOT IN ('Valid')
  AND (
    "ImageLoaded" ILIKE '%\\AppData\\%'
    OR "ImageLoaded" ILIKE '%\\Temp\\%'
    OR "ImageLoaded" ILIKE '%\\Downloads\\%'
    OR "ImageLoaded" ILIKE '%\\Users\\Public\\%'
    OR "ImageLoaded" ILIKE '%\\ProgramData\\%'
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
high severity medium confidence

QRadar AQL query hunting for Sysmon Event ID 7 (Image Load) records where a signed DLL or executable with an anomalous certificate status (revoked, expired, or invalid) is loaded from a user-writable directory. Relies on QRadar custom event properties (Image, ImageLoaded, Signature, SignatureStatus, Signed) extracted from the Sysmon XML payload via the DSM editor. Risk scoring weights revoked certificates at +3, expired/invalid at +2, and unknown publishers at +1.

Data Sources

IBM QRadar with WinCollect agent collecting Sysmon Operational logMicrosoft Windows Sysmon Universal DSM for QRadar (custom properties required)QRadar custom event properties: Image, ImageLoaded, Signature, SignatureStatus, Signed

Required Tables

events (QRadar normalized event pipeline)

False Positives & Tuning

  • Developer workstations loading self-compiled or test-signed DLLs from project directories under AppData or user-profile temp folders during active software development — particularly common in CI/CD agent environments
  • Corporate endpoint security products (CrowdStrike, Carbon Black, SentinelOne) that load signed sensor modules or response tooling from unconventional paths during version updates or live response operations
  • Portable software distributed as single executables (7-Zip portable, SysInternals tools) run directly from user Downloads folders, particularly from smaller ISVs whose root CA QRadar DSM does not explicitly enumerate as known-good
Download portable Sigma rule (.yml)

Other platforms for T1588.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Self-Signed Code Signing Certificate and Sign Test Binary

    Expected signal: Sysmon Event ID 11 (File Create): argus_signed_test.exe created in %TEMP%. Sysmon Event ID 1 (Process Create): powershell.exe spawning csc.exe (C# compiler) to build the test binary. Sysmon Event ID 13 (Registry Value Set): certificate written to HKCU\SOFTWARE\Microsoft\SystemCertificates\My\. DeviceFileEvents in MDE: file creation event for the test executable in user temp path.

  2. Test 2Inspect Authenticode Certificate Chain on Suspicious Executable

    Expected signal: Sysmon Event ID 11 (File Create): argus_lolbin_test.exe in %TEMP%. Sysmon Event ID 1 (Process Create): certutil.exe with -verify -urlfetch flags and temp path argument. Sysmon Event ID 3 (Network Connection): certutil.exe making outbound HTTPS connections to Microsoft CRL distribution points (crl.microsoft.com, ocsp.msocsp.com) for revocation checking. DeviceProcessEvents: certutil.exe spawned from PowerShell/cmd.exe.

  3. Test 3Enumerate Code Signing Certificates Including Private Key Holders

    Expected signal: Sysmon Event ID 1 (Process Create): PowerShell accessing multiple certificate stores. Sysmon Event ID 11 (File Create): codesign_enum.csv created in %TEMP%. DeviceRegistryEvents: reads to HKLM\SOFTWARE\Microsoft\SystemCertificates\{My,Root,CA,TrustedPublisher}. DeviceFileEvents in MDE: CSV output file creation in user temp directory.

  4. Test 4Validate Executable Signatures Using Sigcheck Sysinternals Tool

    Expected signal: Sysmon Event ID 1 (Process Create): sigcheck.exe launching from %TEMP% with -a -h flags. Sysmon Event ID 3 (Network Connection): sigcheck.exe may attempt outbound connection to VirusTotal API if -vt flag is included. DeviceProcessEvents: sigcheck.exe spawned by PowerShell with the target path argument covering %TEMP% executables.

  5. Test 5Query Windows Code Integrity Logs for Historical Certificate Enforcement Events

    Expected signal: Sysmon Event ID 1 (Process Create): PowerShell executing Get-WinEvent against the Code Integrity operational log. DeviceProcessEvents: PowerShell with Get-WinEvent in command line. If any Code Integrity events were previously logged on this system (e.g., from WDAC policy enforcement), they will be returned. In environments without WDAC policy configured, Event IDs 3033/3034 may not appear, but 3036 (certificate details) often does.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1588.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1553.002Code SigningT1587.003Digital CertificatesT1588.004Digital CertificatesT1195.002Compromise Software Supply ChainT1036.001Invalid Code SignatureT1036.005Match Legitimate Resource Name or LocationT1027Obfuscated Files or Information

Same Tactic: Resource Development

Popular Detections