1. Home
  2. ATT&CK Techniques
  3. T1587
  4. T1587.002
Resource Development

T1587.002: Code Signing Certificates

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author...

T1587.002 · Sub-technique ·1 platforms ·3 groups

Description

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

Prior to Code Signing, adversaries may develop self-signed code signing certificates for use in operations.

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Threat Groups (3)

IDGroupContext
G1034Daggerfly[Daggerfly](https://attack.mitre.org/groups/G1034) created code signing certificates to sign malicious macOS files.(Citation: ESET EvasivePanda 2024)
G0056PROMETHIUM[PROMETHIUM](https://attack.mitre.org/groups/G0056) has created self-signed certificates to sign malicious installers.(Citation: Bitdefender StrongPit...
G0040Patchwork[Patchwork](https://attack.mitre.org/groups/G0040) has created self-signed certificates from fictitious and spoofed legitimate software companies that...

References

Frequently Asked Questions

What is T1587.002 (Code Signing Certificates)?

T1587.002 is a MITRE ATT&CK technique named 'Code Signing Certificates'. It belongs to the Resource Development tactic(s). Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author...

How can T1587.002 be detected?

Detection of T1587.002 (Code Signing Certificates) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1587.002?

There are 1 documented mitigations for T1587.002. Key mitigations include: Pre-compromise.

Which threat groups use T1587.002?

Known threat groups using T1587.002 include: Daggerfly, PROMETHIUM, Patchwork.