Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TECHNIQUES
PRE-ATT&CK
Priority Definition Planning
Priority Definition Direction
Target Selection
Technical Information Gathering
People Information Gathering
Organizational Information Gathering
Technical Weakness Identification
People Weakness Identification
Organizational Weakness Identification
Adversary OPSEC
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Credential Access
Brute Force
Credentials from Password Stores
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Subvert Trust Controls
  5. Code Signing

Subvert Trust Controls: Code Signing

ID Name
T1553.001 Gatekeeper Bypass
T1553.002 Code Signing
T1553.003 SIP and Trust Provider Hijacking
T1553.004 Install Root Certificate

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. [1] The certificates used during an operation may be created, acquired, or stolen by the adversary. [2] [3] Unlike Invalid Code Signature, this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. [1]

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

ID: T1553.002
Sub-technique of:  T1553
Tactic: Defense Evasion
Platforms: Windows, macOS
Data Sources: Binary file metadata
Defense Bypassed: Windows User Account Control
Version: 1.0
Created: 05 February 2020
Last Modified: 10 February 2020

Procedure Examples

Name Description
APT37

APT37 has signed its malware with an invalid digital certificates listed as "Tencent Technology (Shenzhen) Company Limited."[33]
APT41

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[41]
BackConfig

BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.[25]
BADNEWS

BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.[16]
BOOSTWRITE

BOOSTWRITE has been signed by a valid CA.[23]
ChChes

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[9][10][11]
CopyKittens

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[31]
Darkhotel

Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[28][29]
Daserf

Some Daserf samples were signed with a stolen digital certificate.[6]
Ebury

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[20]
Epic

Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[19]
FIN6

FIN6 has used Comodo code-signing certificates.[22]

FIN7

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[26][27]
Gazer

Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[13][14]
GreyEnergy

GreyEnergy digitally signs the malware with a code-signing certificate.[18]
Helminth

Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.[7]
Honeybee

Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[36]
Janicab

Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.[15]
Leviathan

Leviathan has used stolen code signing certificates to sign malware.[34][35]
LockerGoga

LockerGoga has been signed with stolen certificates in order to make it look more legitimate.[21]
Metamorfo

Metamorfo has digitally signed executables using Avast.[24]

Molerats

Molerats has used forged Microsoft code-signing certificates on malware.[32]
More_eggs

More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.[22]
Nerex

Nerex drops a signed Microsoft DLL to disk.[8]
NETWIRE

The NETWIRE client has been signed by fake and invalid digital certificates.[12]
Patchwork

Patchwork has signed malware with self signed certificates from fictitious and spoofed legitimate software companies.[25]
QuasarRAT

A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[4]
RTM

RTM samples have been signed with a code-signing certificates.[17]
SDelete

SDelete is digitally signed by Microsoft.[5]
Silence

Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).[42]
Suckfly

Suckfly has used stolen certificates to sign its malware.[37]
TA505

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[38][39][40]
Winnti Group

Winnti Group used stolen certificates to sign its malware.[30]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

References

  1. Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.
  2. Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
  3. Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
  4. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  5. Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
  6. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  7. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  8. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  9. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  10. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  12. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  13. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  14. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  15. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  16. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  17. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  18. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  19. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  20. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  21. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  1. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  2. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  3. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  4. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  5. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  6. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  7. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  8. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  9. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  10. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  11. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
  12. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
  13. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  14. Plan, F., et all. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  15. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  16. DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  17. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  18. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  19. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  20. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  21. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.