Code Signing

From enterprise
Jump to: navigation, search
Code Signing
Technique
ID T1116
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, MacOS, OS X
Data Sources Binary file metadata
Defense Bypassed Windows User Account Control

Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.1 However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries2. The certificates used during an operation may be created, forged, or stolen by the adversary.34

Code signing to verify software on first run can be used on modern Windows and MacOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform.1

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Examples

  • Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen.5
  • Molerats has used forged Microsoft code-signing certificates on malware.6
  • Suckfly has used stolen certificates to sign its malware.7
  • Winnti Group used stolen certificates to sign its malware.8
  • ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.91011
  • Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.12
  • Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions2.
  • RTM samples have been signed with a code-signing certificates.13
  • Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.14

Mitigation

Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system.15163

Detection

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

References