Develop Capabilities: Code Signing Certificates

ID Name
VT0007.001 Code Signing Certificates
VT0007.002 Digital Certificates
VT0007.003 Malware

Before compromising a victim, adversaries may create a CA-signed or a self-signed code signing certificate to be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been modifies after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program on first run on Windows and macOS/OS X operating systems.[1]

Code signing provides a level of authenticity of a program and verifies the identity of the developer to guarantee that the program has not been tampered with. Users and security tools trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.[2]

Adversaries can use Code Signing to sign their tools in operations in order to bypass security policies and controls that require signed code to execute on a system.

To obtain a code signing certificate, adversaries will either create a self-signed certificate or purchase a certificate from a CA through the official channels using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a CA as that entity.[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.

References

Attachments

ID
VT0007.001
Sub-techniques
Tactic
Resource Development
Platforms
PRE
Version
1.0

Created: 20 December 2020

Last Modified: 27 December 2020