Obtain Capabilities: Code Signing Certificates
Before compromising a victim, adversaries may buy or steal code signing certificates that can be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been corrupted and tampered with after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program.
Code signing provides a level of authenticity of a program and verifies the identity of the developer to guarantee that the program has not been tampered with. Users and security tools trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
To sign their code, adversaries may buy a stolen code signing certificate or steal one from a legitimate software developer.
An adversary can purchase a stolen code signing certificate online from fraudulent marketplaces or from individuals that offer crime-as-a-service or steal one in a parallel or prior compromise of another targeted software developer.
PLEAD operators obtain or steal valid and legitimate certificates from Taiwanese companies to sign PLEAD tools
ShadowHammer binaries were signed with two different ASUS certificates issues by DigiCert.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.
Created: 20 December 2020
Last Modified: 22 December 2020