title: Code Signing Certificates (T1588.003)
id: df00tech-t1588-003
status: experimental
description: "Adversaries may buy and/or steal code signing certificates to sign malicious payloads, enabling their software to appear legitimate and bypass security controls that trust signed code. Code signing provides authenticity guarantees that cause users and security tools to trust signed executables more readily than unsigned binaries. Adversaries purchase certificates using front organizations or stolen identity information, or directly steal signing materials from compromised third parties. Real-world threat actors including Wizard Spider (DigiCert, GlobalSign certs), OilRig, BlackTech, MegaCortex (fake company certificates), and Kimsuky have all leveraged stolen or fraudulently-obtained code signing certificates. Detection pivots to observable artifacts when signed malicious code executes in the environment: certificate anomalies (revoked, expired, recently-issued, or from unusual certificate authorities), discrepancies between file metadata and certificate subjects, Windows Code Integrity enforcement events, and low-prevalence signed executables executing from user-writable paths."
references:
  - https://attack.mitre.org/techniques/T1588/003/
  - https://df00tech.com/detections/T1588.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1588.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate enterprise applications signed with internal PKI certificates not in the global trusted root CA store — these will appear as IsTrusted=false
  - Software vendors whose code signing certificates have recently expired but the binaries remain deployed across the enterprise
  - Open-source software distributed with certificates from lesser-known certificate authorities that are not pre-trusted by Windows
  - Security testing and penetration testing tools legitimately signed by small vendors or individual researchers
  - Development and staging environments where test-signed or debug-built binaries execute frequently from non-standard paths
  - "Software after CA revocation events (e.g., DigiCert mass revocations) where legitimate vendor certificates become temporarily invalid before re-signing and redeployment"
level: high