Detect Code Signing Certificates in Microsoft Sentinel
Adversaries may buy and/or steal code signing certificates to sign malicious payloads, enabling their software to appear legitimate and bypass security controls that trust signed code. Code signing provides authenticity guarantees that cause users and security tools to trust signed executables more readily than unsigned binaries. Adversaries purchase certificates using front organizations or stolen identity information, or directly steal signing materials from compromised third parties. Real-world threat actors including Wizard Spider (DigiCert, GlobalSign certs), OilRig, BlackTech, MegaCortex (fake company certificates), and Kimsuky have all leveraged stolen or fraudulently-obtained code signing certificates. Detection pivots to observable artifacts when signed malicious code executes in the environment: certificate anomalies (revoked, expired, recently-issued, or from unusual certificate authorities), discrepancies between file metadata and certificate subjects, Windows Code Integrity enforcement events, and low-prevalence signed executables executing from user-writable paths.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.003 Code Signing Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1588/003/
KQL Detection Query
// Detect execution of signed binaries with suspicious certificate characteristics
// Requires Microsoft Defender for Endpoint with DeviceFileCertificateInfo telemetry
let KnownTrustedPublishers = dynamic([
"Microsoft Corporation", "Microsoft Windows", "Google LLC", "Adobe Inc.",
"Oracle America", "Mozilla Corporation", "Cisco Systems", "VMware, Inc.",
"Intel Corporation", "NVIDIA Corporation", "Apple Inc.", "Amazon.com"
]);
let SuspiciousFolders = dynamic([
"\\AppData\\", "\\Temp\\", "\\Downloads\\", "\\Users\\Public\\",
"\\ProgramData\\", "\\Roaming\\", "\\Local\\Temp\\"
]);
// Identify signed files with certificate trust issues
let SuspiciousCerts = DeviceFileCertificateInfo
| where Timestamp > ago(24h)
| where IsSigned == true
| where IsTrusted == false
or (CertificateExpirationTime < now() and CertificateExpirationTime > datetime(2000-01-01))
| project SHA1, Issuer, Subject, CertificateExpirationTime,
IsTrusted, SignatureType, CertificateSerialNumber, CrlDistributionPointUrl;
// Join with process executions from user-writable suspicious paths
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (SuspiciousFolders)
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "SenseCnfgr.exe", "SenseIR.exe")
| join kind=inner SuspiciousCerts on SHA1
| extend CertExpired = CertificateExpirationTime < now()
| extend CertUntrusted = IsTrusted == false
| extend KnownPublisher = Subject has_any (KnownTrustedPublishers)
| extend RiskIndicators = toint(CertExpired) + toint(CertUntrusted) + toint(not(KnownPublisher))
| where RiskIndicators >= 1
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
Issuer, Subject, CertificateExpirationTime, CertExpired, CertUntrusted,
SignatureType, CertificateSerialNumber, RiskIndicators
| sort by RiskIndicators desc, Timestamp descDetects execution of signed binaries with suspicious certificate characteristics using the DeviceFileCertificateInfo table (Microsoft Defender for Endpoint). Identifies untrusted certificates, expired certificates still in use, and revoked certificates. Joins with DeviceProcessEvents to focus on execution from user-writable paths where adversaries stage signed malware. A RiskIndicators score aggregates multiple certificate anomaly signals to aid analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise applications signed with internal PKI certificates not in the global trusted root CA store — these will appear as IsTrusted=false
- Software vendors whose code signing certificates have recently expired but the binaries remain deployed across the enterprise
- Open-source software distributed with certificates from lesser-known certificate authorities that are not pre-trusted by Windows
- Security testing and penetration testing tools legitimately signed by small vendors or individual researchers
- Development and staging environments where test-signed or debug-built binaries execute frequently from non-standard paths
- Software after CA revocation events (e.g., DigiCert mass revocations) where legitimate vendor certificates become temporarily invalid before re-signing and redeployment
Other platforms for T1588.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Self-Signed Code Signing Certificate and Sign Test Binary
Expected signal: Sysmon Event ID 11 (File Create): argus_signed_test.exe created in %TEMP%. Sysmon Event ID 1 (Process Create): powershell.exe spawning csc.exe (C# compiler) to build the test binary. Sysmon Event ID 13 (Registry Value Set): certificate written to HKCU\SOFTWARE\Microsoft\SystemCertificates\My\. DeviceFileEvents in MDE: file creation event for the test executable in user temp path.
- Test 2Inspect Authenticode Certificate Chain on Suspicious Executable
Expected signal: Sysmon Event ID 11 (File Create): argus_lolbin_test.exe in %TEMP%. Sysmon Event ID 1 (Process Create): certutil.exe with -verify -urlfetch flags and temp path argument. Sysmon Event ID 3 (Network Connection): certutil.exe making outbound HTTPS connections to Microsoft CRL distribution points (crl.microsoft.com, ocsp.msocsp.com) for revocation checking. DeviceProcessEvents: certutil.exe spawned from PowerShell/cmd.exe.
- Test 3Enumerate Code Signing Certificates Including Private Key Holders
Expected signal: Sysmon Event ID 1 (Process Create): PowerShell accessing multiple certificate stores. Sysmon Event ID 11 (File Create): codesign_enum.csv created in %TEMP%. DeviceRegistryEvents: reads to HKLM\SOFTWARE\Microsoft\SystemCertificates\{My,Root,CA,TrustedPublisher}. DeviceFileEvents in MDE: CSV output file creation in user temp directory.
- Test 4Validate Executable Signatures Using Sigcheck Sysinternals Tool
Expected signal: Sysmon Event ID 1 (Process Create): sigcheck.exe launching from %TEMP% with -a -h flags. Sysmon Event ID 3 (Network Connection): sigcheck.exe may attempt outbound connection to VirusTotal API if -vt flag is included. DeviceProcessEvents: sigcheck.exe spawned by PowerShell with the target path argument covering %TEMP% executables.
- Test 5Query Windows Code Integrity Logs for Historical Certificate Enforcement Events
Expected signal: Sysmon Event ID 1 (Process Create): PowerShell executing Get-WinEvent against the Code Integrity operational log. DeviceProcessEvents: PowerShell with Get-WinEvent in command line. If any Code Integrity events were previously logged on this system (e.g., from WDAC policy enforcement), they will be returned. In environments without WDAC policy configured, Event IDs 3033/3034 may not appear, but 3036 (certificate details) often does.
References (10)
- https://attack.mitre.org/techniques/T1588/003/
- https://en.wikipedia.org/wiki/Code_signing
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefilecertificateinfo-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- https://crt.sh/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.003/T1588.003.md
- https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-pursuing-high-value-targets
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-espionage-apt-target-taiwan
- https://www.ibm.com/reports/threat-intelligence
Unlock Pro Content
Get the full detection package for T1588.003 including response playbook, investigation guide, and atomic red team tests.