Code Signing Certificates (T1588.003)

Information

• Name: Code Signing Certificates

• ID: T1588.003

• Tactics:

• Technique:

Introduction

Code Signing Certificates (T1588.003) is a sub-technique within the MITRE ATT&CK framework under the broader category of Obtain Capabilities (T1588). This technique involves adversaries obtaining or creating code signing certificates to digitally sign their malware or malicious software, making it appear legitimate to security solutions and users. Code signing certificates are typically issued by trusted Certificate Authorities (CAs), and their misuse can significantly enhance the credibility of malicious payloads, enabling adversaries to bypass security controls and evade detection.

Deep Dive Into Technique

Adversaries leverage code signing certificates to sign malicious binaries, scripts, drivers, or software packages, thereby increasing the likelihood of successful execution on targeted systems. Code signing provides assurance to operating systems and security software that the signed code originates from a trusted and verified source, reducing suspicion and bypassing certain security mechanisms.

Technical details and execution methods include:

• Acquisition Methods:

  • Theft or compromise of legitimate certificates from software vendors or organizations.

  • Fraudulent issuance by deceiving Certificate Authorities through impersonation or falsified documentation.

  • Purchase from underground marketplaces or dark web forums specializing in stolen or fraudulent certificates.

  • Creation of self-signed certificates, though these have limited effectiveness compared to certificates issued by trusted CAs.

• Signing Mechanisms:

  • Use of standard code signing tools such as Microsoft's SignTool or OpenSSL to sign executables, DLLs, drivers, scripts, or installers.

  • Embedding certificates directly into binaries or software packages, allowing them to pass validation checks.

  • Employing timestamping services to extend the validity and trustworthiness of signed malware beyond certificate expiration.

• Operational Advantages:

  • Signed malware can bypass certain endpoint protections and antivirus scanning heuristics.

  • Enables execution of malicious drivers within kernel-mode, bypassing driver signature enforcement (e.g., Windows Driver Signature Enforcement).

  • Reduces user suspicion and enhances social engineering effectiveness due to perceived legitimacy.

When this Technique is Usually Used

Adversaries typically utilize code signing certificates across various stages and scenarios of cyberattacks, including:

• Initial Access and Execution:

  • Delivering signed malware payloads via phishing emails, malicious attachments, or compromised software updates.

  • Distributing malware through legitimate software update channels or software repositories.

• Privilege Escalation and Persistence:

  • Installing malicious kernel-mode drivers or services that require signed binaries to execute with elevated privileges.

  • Ensuring persistent access by deploying digitally signed backdoors or remote access tools (RATs).

• Defense Evasion:

  • Evading detection by endpoint protection systems, antivirus software, and application whitelisting tools.

  • Circumventing operating system security features such as Windows SmartScreen, Gatekeeper (macOS), or driver signature enforcement.

• Supply Chain Compromise:

  • Compromising software vendors or developers to steal legitimate certificates and subsequently distribute signed malicious updates.

  • Injecting malicious code into legitimate software builds before signing and distribution.

How this Technique is Usually Detected

Detection of malicious use of code signing certificates involves comprehensive monitoring and analysis activities, including:

• Certificate Monitoring and Validation:

  • Monitoring certificate transparency logs and revocation lists for suspicious or compromised certificates.

  • Validating certificates against known trusted issuers and identifying discrepancies or anomalies.

• Behavioral Analysis and Endpoint Detection:

  • Employing Endpoint Detection and Response (EDR) solutions to identify unusual signed binaries executing from uncommon locations or processes.

  • Detecting anomalies in certificate metadata, such as unusual issuer names, validity periods, or certificate serial numbers.

• Threat Intelligence and IOC Matching:

  • Leveraging threat intelligence feeds to identify known malicious certificates or compromised signing keys.

  • Utilizing Indicators of Compromise (IoCs), such as certificate hashes, thumbprints, or issuer details, to flag malicious activity.

• Auditing and Logging:

  • Reviewing system logs and audit trails for unexpected code signing activities or the presence of unrecognized certificates.

  • Monitoring software distribution channels and repositories for newly signed binaries matching suspicious patterns.

Specific Indicators of Compromise (IoCs):

• Certificate serial numbers or thumbprints known to be compromised or associated with malicious campaigns.

• Signed binaries originating from unusual or unauthorized software publishers.

• Certificates issued by unknown, suspicious, or compromised Certificate Authorities.

• Sudden appearance of digitally signed software or drivers without corresponding legitimate software release announcements.

Why it is Important to Detect This Technique

Early detection and mitigation of malicious use of code signing certificates is crucial due to the significant risks and potential impacts posed to organizations:

• Security Control Bypass:

  • Digitally signed malware can bypass endpoint protection, antivirus software, and application whitelisting mechanisms, allowing adversaries unrestricted execution capabilities.

• Enhanced Persistence and Privilege Escalation:

  • Malicious signed drivers and kernel-mode components can provide adversaries with persistent access and elevated privileges, increasing the difficulty of remediation.

• Supply Chain Risks:

  • Compromised code signing certificates can facilitate supply chain attacks, impacting numerous downstream organizations and users, causing widespread and severe damage.

• Reputational Damage and Trust Erosion:

  • Misuse of legitimate certificates can severely damage organizational reputation, erode customer trust, and lead to regulatory penalties or legal liabilities.

• Difficulty in Attribution and Response:

  • Signed malware complicates incident response efforts, increases investigation complexity, and delays threat attribution, providing adversaries additional time to achieve their objectives.

Examples

Real-world examples of adversaries leveraging code signing certificates include:

• Stuxnet (2010):

  • Attack Scenario: Advanced persistent threat (APT) targeting Iranian nuclear facilities.

  • Tools and Techniques: Malware digitally signed using stolen certificates from Realtek Semiconductor and JMicron Technology.

  • Impacts: Successfully bypassed Windows security mechanisms, enabling stealthy propagation and sabotage of industrial control systems.

• ShadowHammer (2019):

  • Attack Scenario: Supply chain compromise targeting ASUS Live Update utility.

  • Tools and Techniques: Attackers compromised ASUS code signing certificates and infrastructure to digitally sign and distribute malicious updates.

  • Impacts: Over one million users potentially affected, enabling attackers to selectively target specific systems for further exploitation.

• Operation Aurora (2009-2010):

  • Attack Scenario: Cyber espionage campaign targeting Google and other technology companies.

  • Tools and Techniques: Attackers utilized digitally signed malware binaries to bypass endpoint protections and gain persistent access.

  • Impacts: Theft of intellectual property, sensitive data, and significant financial and reputational damages.

• DigiNotar Breach (2011):

  • Attack Scenario: Compromise of Dutch Certificate Authority DigiNotar.

  • Tools and Techniques: Attackers issued fraudulent certificates for major domains, including Google and Microsoft, enabling man-in-the-middle attacks.

  • Impacts: Compromise of secure communications, leading to the revocation of DigiNotar's trust status and eventual bankruptcy.

• DarkHalo/SolarWinds Attack (2020):

  • Attack Scenario: Supply chain compromise targeting SolarWinds Orion software.

  • Tools and Techniques: Attackers injected malicious code into legitimate software updates, digitally signed by SolarWinds, bypassing security defenses.

  • Impacts: Extensive espionage campaign affecting numerous government agencies and private organizations, causing severe security breaches and data exfiltration.