title: Code Signing Certificates (T1587.002)
id: df00tech-t1587-002
status: experimental
description: "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Adversaries leverage self-signed certificates to make malicious payloads appear more trustworthy — security tools and users are more likely to trust a signed binary even when the signing authority is unknown. Threat actors including Daggerfly (macOS malware), PROMETHIUM (StrongPity spyware installers), and Patchwork (BackConfig RAT) have created self-signed certificates impersonating legitimate software vendors to sign malicious payloads. This technique is commonly paired with T1553.002 (Code Signing) to bypass application allowlisting, reduce user suspicion, and evade detection tooling that weights signed binaries as lower risk."
references:
  - https://attack.mitre.org/techniques/T1587/002/
  - https://df00tech.com/detections/T1587.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1587.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers creating self-signed certificates for internal code signing during development and testing pipelines
  - IT administrators managing internal PKI infrastructure and importing certificates to enterprise certificate stores
  - "CI/CD build systems (Jenkins, GitHub Actions runners, Azure DevOps agents) that create or use signing certificates as part of release automation"
  - "Security tools such as Fiddler, Burp Suite, and Charles Proxy that create local CA certificates for TLS interception"
  - Certificate authority enrollment agents and autoenrollment services performing legitimate certutil operations
  - macOS developers using codesign tooling through Windows Subsystem for Linux or cross-compilation environments
level: medium