T1036.001: Invalid Code Signature

View on MITRE ATT&CK	T1036.001
Tactic(s)	Defense Evasion
Associated CAPEC Patterns	Signature Spoof (CAPEC-473)

Data from MITRE ATT&CK®:

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)

Unlike Code Signing, this activity will not result in a valid signature.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

How to detect this technique

MITRE ATT&CK Data Components

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
SI-4: System Monitoring
CM-2: Baseline Configuration
CM-6: Configuration Settings
SI-7: Software, Firmware, and Information Integrity
IA-9: Service Identification and Authentication