Install Digital Certificate

Information

• Name: Install Digital Certificate

• ID: T1608.003

• Tactics: TA0042

• Technique: T1608

Introduction

The MITRE ATT&CK sub-technique "Install Digital Certificate [T1608.003]" is part of the broader "Stage Capabilities" technique (T1608) within the Resource Development tactic. This sub-technique specifically involves adversaries obtaining and installing digital certificates to legitimize malicious activities. Digital certificates, typically issued by trusted Certificate Authorities (CAs), are leveraged by attackers to disguise malware, bypass security controls, and establish trustworthiness in compromised environments.

Deep Dive Into Technique

Adversaries employing the "Install Digital Certificate" sub-technique utilize legitimate, trusted digital certificates to sign malicious executables, scripts, or drivers. By signing malicious payloads with valid certificates, attackers effectively masquerade their tools as legitimate software, significantly reducing suspicion from users and security software.

Key technical details include:

• Certificate Acquisition Methods:

  • Compromising legitimate organizations to steal existing certificates.

  • Fraudulently requesting certificates from trusted Certificate Authorities (CAs).

  • Purchasing certificates from illicit marketplaces or underground forums.

• Certificate Installation and Usage:

  • Embedding certificates directly into malicious executables or scripts to bypass signature-based detection.

  • Leveraging signed drivers to load kernel-level malware, circumventing driver signature enforcement in operating systems.

  • Utilizing signed binaries to evade application whitelisting or endpoint protection mechanisms.

• Common Techniques and Approaches:

  • Code signing of malware executables, DLL files, and scripts (PowerShell, JavaScript).

  • Kernel-mode driver signing to facilitate rootkit installation and persistence.

  • SSL/TLS certificate installation on compromised web servers to enable encrypted command and control (C2) communications.

When this Technique is Usually Used

The "Install Digital Certificate" sub-technique is commonly employed across multiple stages and scenarios within cyber attacks, including:

• Initial Access and Execution Stage:

  • Attackers sign malicious payloads to bypass antivirus and endpoint detection solutions during initial infection attempts.

  • Phishing campaigns distributing signed malicious attachments or installers to increase credibility and user trust.

• Defense Evasion and Persistence:

  • Signed binaries and drivers are leveraged to evade application control policies, endpoint protection tools, and driver signature enforcement mechanisms.

  • Signed malware helps attackers maintain persistent, stealthy access to compromised systems without raising alarms.

• Privilege Escalation and Lateral Movement:

  • Attackers may use signed drivers or executables to escalate privileges, install rootkits, or move laterally within targeted environments, leveraging the inherent trust granted to digitally-signed software.

• Command and Control (C2):

  • Installation of legitimate SSL/TLS certificates on compromised infrastructure to secure and obfuscate malicious communications, making detection and analysis more challenging.

How this Technique is Usually Detected

Detection of adversaries using the "Install Digital Certificate" technique involves a combination of proactive monitoring, auditing, and analysis techniques, including:

• Certificate Transparency Logs Monitoring:

  • Regularly checking public Certificate Transparency (CT) logs for suspicious certificates issued under organizational domains or names.

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring endpoints for unusual or unexpected signed binaries, scripts, or drivers.

  • Analyzing executable metadata for mismatches between the certificate issuer and the software publisher.

• Network Traffic Analysis:

  • Identifying unusual encrypted network communications or abnormal SSL/TLS certificate usage patterns.

  • Detecting suspicious certificate issuers, unusual certificate lifetimes, or certificates issued from unknown or suspicious CAs.

• Behavioral Analysis and Threat Intelligence:

  • Leveraging threat intelligence feeds to identify known malicious certificates or compromised CAs.

  • Conducting behavioral analysis on signed binaries to detect anomalies, such as unusual file locations, unexpected execution paths, or unauthorized privilege escalations.

• Indicators of Compromise (IoCs):

  • Presence of certificates issued by known compromised or fraudulent Certificate Authorities.

  • Detection of binaries signed by certificates previously associated with malicious campaigns.

  • Suspicious certificate attributes such as unusual validity periods, issuer anomalies, or mismatched publisher and signer information.

Why it is Important to Detect This Technique

Early detection of adversaries employing the "Install Digital Certificate" sub-technique is crucial due to the significant implications and potential impacts on targeted systems and networks:

• Increased Stealth and Persistence:

  • Signed malware significantly reduces the likelihood of detection by traditional antivirus and endpoint protection solutions, enabling attackers to maintain long-term, stealthy access.

• Bypassing Security Controls:

  • Digitally signed binaries may bypass critical security controls such as application whitelisting, endpoint detection tools, and driver signature enforcement mechanisms.

• Elevated Trust and Privileges:

  • Signed drivers and executables inherently receive higher trust levels from operating systems, potentially enabling attackers to escalate privileges or install kernel-mode rootkits.

• Data Exfiltration and Command and Control:

  • Installation of legitimate SSL/TLS certificates on compromised infrastructure allows attackers to encrypt malicious communications, complicating detection and analysis efforts.

• Damage to Organizational Reputation:

  • Compromised or fraudulently obtained certificates issued under an organization's name can lead to significant reputational damage, loss of customer trust, and regulatory consequences.

Early detection and mitigation of this sub-technique significantly reduces adversary dwell time, minimizes potential damage, and enhances overall organizational security posture.

Examples

Real-world examples of adversaries leveraging the "Install Digital Certificate" sub-technique include:

• Stuxnet Malware:

  • Attackers behind Stuxnet used legitimate digital certificates stolen from Taiwanese companies (Realtek Semiconductor and JMicron Technology) to sign malicious drivers, enabling the malware to bypass Windows driver signature verification and infect targeted industrial control systems (ICS).

• Operation ShadowHammer (ASUS Supply Chain Attack):

  • Attackers compromised ASUS's legitimate software update infrastructure and used valid ASUS digital certificates to sign malicious software updates distributed to thousands of users. This allowed the malware to evade detection and infect a large number of endpoints.

• Winnti Group Attacks:

  • The Winnti cyber espionage group has repeatedly used stolen or fraudulently obtained digital certificates to sign malicious payloads and drivers, enabling them to bypass security controls, escalate privileges, and maintain persistent access within compromised organizations.

• DarkHotel APT Group:

  • DarkHotel attackers used stolen and fraudulent digital certificates to sign malware distributed through watering hole attacks targeting hotel Wi-Fi networks. Signed malware helped attackers evade endpoint protection solutions and compromise high-profile victims.

These examples illustrate the effectiveness and widespread use of digital certificate installation by sophisticated threat actors to facilitate stealthy operations, evade detection, and achieve long-term persistence within targeted environments.