title: Code Signing (T1553.002)
id: df00tech-t1553-002
status: experimental
description: "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Valid signatures can bypass security policies requiring signed code to execute, making this technique effective for defense evasion. Threat actors including FIN7, Scattered Spider, Kimsuky, and Patchwork have all leveraged purchased, stolen, or self-signed certificates to make malicious binaries appear legitimate."
references:
  - https://attack.mitre.org/techniques/T1553/002/
  - https://df00tech.com/detections/T1553.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1553.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software developers signing their builds using signtool.exe in CI/CD pipelines (Azure DevOps, Jenkins build agents) — parent processes may be cmd.exe or powershell.exe in these environments"
  - Certificate authority and PKI administrators importing new root or intermediate CA certificates via certutil.exe or mmc.exe as part of enterprise PKI management
  - "Software installers bundled with vendor-signed binaries that import product-specific root certificates during installation (e.g., corporate VPN clients, enterprise security products)"
  - "Automated patch management solutions (WSUS, SCCM) that update trusted root certificate stores as part of Windows Update processes"
  - Security scanning tools that create temporary certificate files when testing SSL/TLS configurations
level: high