Obtain Capabilities: Code Signing Certificates

ID Name
VT0009.001 Code Signing Certificates
VT0009.002 Digital Certificates

Before compromising a victim, adversaries may buy or steal code signing certificates that can be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been corrupted and tampered with after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program.[1]

Code signing provides a level of authenticity of a program and verifies the identity of the developer to guarantee that the program has not been tampered with. Users and security tools trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

Adversaries can used Code Signing to sign their tools in operations in order to bypass security policies and controls that require signed code to execute on a system.[2]

To sign their code, adversaries may buy a stolen code signing certificate or steal one from a legitimate software developer.

An adversary can purchase a stolen code signing certificate online from fraudulent marketplaces or from individuals that offer crime-as-a-service or steal one in a parallel or prior compromise of another targeted software developer.

Procedure Examples

Name Description
BlackTech

BlackTech signed its tools and malware, specifically PLEAD, with stolen valid certificates.

PLEAD

PLEAD operators obtain or steal valid and legitimate certificates from Taiwanese companies to sign PLEAD tools

ShadowHammer

ShadowHammer binaries were signed with two different ASUS certificates issues by DigiCert.

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.

References

Attachments

ID
VT0009.001
Sub-techniques
Tactic
Resource Development
Platforms
PRE
Version
1.0

Created: 20 December 2020

Last Modified: 22 December 2020