Description
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
Unlike Code Signing, this activity will not result in a valid signature.
Platforms
Mitigations (1)
Code SigningM1045
Require signed binaries.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Co... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used revoked certificates to sign malware.(Citation: objective-see windtail1 dec 2018)(Citation... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0466 | WindTail | Malware | [WindTail](https://attack.mitre.org/software/S0466) has been incompletely signed with revoked certificates.(Citation: objective-see windtail1 dec 2018... |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look ... |
| S0019 | Regin | Malware | [Regin](https://attack.mitre.org/software/S0019) stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading a... |
| S1234 | SplatCloak | Malware | [SplatCloak](https://attack.mitre.org/software/S1234) has used a revoked certificate to exploit Windows driver execution policy where certificates iss... |
| S0198 | NETWIRE | Malware | The [NETWIRE](https://attack.mitre.org/software/S0198) client has been signed by fake and invalid digital certificates.(Citation: McAfee Netwire Mar 2... |
| S1050 | PcShare | Tool | [PcShare](https://attack.mitre.org/software/S1050) has used an invalid certificate in attempt to appear legitimate.(Citation: Bitdefender FunnyDream C... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) has used unverified signatures on malicious DLLs.(Citation: ESET Gelsemium June 2021) |
References
Frequently Asked Questions
What is T1036.001 (Invalid Code Signature)?
T1036.001 is a MITRE ATT&CK technique named 'Invalid Code Signature'. It belongs to the Stealth tactic(s). Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the deve...
How can T1036.001 be detected?
Detection of T1036.001 (Invalid Code Signature) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.001?
There are 1 documented mitigations for T1036.001. Key mitigations include: Code Signing.
Which threat groups use T1036.001?
Known threat groups using T1036.001 include: APT37, Windshift.