Common Information
| Type | Value |
|---|---|
| Value |
Code Signing - T1553.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2020-06-28 | 37 | Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI - CVE-2020-1464 - Securityinbits | ||
| Details | Website | 2020-06-17 | 37 | Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity | ||
| Details | Website | 2020-05-21 | 108 | No “Game over” for the Winnti Group | WeLiveSecurity | ||
| Details | Website | 2020-05-12 | 128 | Updated BackConfig Malware Targeting Government and Military Organizations in South Asia | ||
| Details | Website | 2020-04-20 | 39 | WINNTI GROUP: Insights From the Past | ||
| Details | Website | 2020-03-30 | 19 | The 'S' in Zoom, Stands for Security | ||
| Details | Website | 2020-01-16 | 5 | Exploiting the Windows CryptoAPI Vulnerability | ||
| Details | Website | 2020-01-14 | 52 | Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage | ||
| Details | Website | 2020-01-01 | 131 | The Mac Malware of 2019 👾 | ||
| Details | Website | 2019-12-12 | 30 | GALLIUM: Targeting global telecom | ||
| Details | Website | 2019-12-03 | 17 | Lazarus Group Goes 'Fileless' | ||
| Details | Website | 2019-10-10 | 23 | Code Signing Certificate Cloning Attacks and Defenses | ||
| Details | Website | 2019-10-10 | 13 | Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques | Mandiant | ||
| Details | Website | 2019-09-25 | 11 | Detecting macOS.GMERA Malware Through Behavioral Inspection | ||
| Details | Website | 2019-09-20 | 24 | Mac Malware, Spoofs App, Steals User Information | ||
| Details | Website | 2019-09-20 | 23 | Mac Malware, Spoofs App, Steals User Information | ||
| Details | Website | 2019-09-07 | 8 | Writing a Process Monitor with Apple's Endpoint Security Framework | ||
| Details | Website | 2019-08-29 | 6 | In-the-wild iOS Exploit Chain 1 | ||
| Details | Website | 2019-08-14 | 252 | In the Balkans, businesses are under fire from a double‑barreled weapon | WeLiveSecurity | ||
| Details | Website | 2019-07-09 | 21 | DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX | ||
| Details | Website | 2019-07-02 | 23 | Getting Root with Benign AppStore Apps | ||
| Details | Website | 2019-05-04 | 12 | Abusing Catalog Hygiene to Bypass Application Whitelisting | ||
| Details | Website | 2019-04-30 | 281 | Buhtrap backdoor and Buran ransomware distributed via major advertising platform | WeLiveSecurity | ||
| Details | Website | 2019-04-29 | 57 | LockerGoga Ransomware Family Used in Targeted Attacks | McAfee Blog | ||
| Details | Website | 2019-04-15 | 8 | Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPN's helper tool |