Develop Capabilities: Code Signing Certificates
Before compromising a victim, adversaries may create a CA-signed or a self-signed code signing certificate to be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been modifies after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program on first run on Windows and macOS/OS X operating systems.
Code signing provides a level of authenticity of a program and verifies the identity of the developer to guarantee that the program has not been tampered with. Users and security tools trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
Adversaries can use Code Signing to sign their tools in operations in order to bypass security policies and controls that require signed code to execute on a system.
To obtain a code signing certificate, adversaries will either create a self-signed certificate or purchase a certificate from a CA through the official channels using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a CA as that entity.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.
Created: 20 December 2020
Last Modified: 27 December 2020