EXPLORE

← Back to Explore

T1036.001

Invalid Code Signature

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appea...

WindowsmacOS

9

Detections

1

Sources

2

Threat Actors

BY SOURCE

9elastic

PROCEDURES (8)

Driver2 detections

Auto-extracted: 2 detections for driver

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

THREAT ACTORS (2)

APT37 Windshift

DETECTIONS (9)

Expired or Revoked Driver Loaded

Potential Masquerading as Business App Installer

Potential Masquerading as Communication Apps

Startup Folder Persistence via Unsigned Process

Suspicious Communication App Child Process

Suspicious DLL Loaded for Persistence or Privilege Escalation

Unsigned DLL Loaded by Svchost

Unsigned DLL Side-Loading from a Suspicious Folder

Untrusted Driver Loaded