MITRE ATT&CK - Техника Сертификаты подписи кода

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Develop Capabilities: Сертификаты подписи кода

Other sub-techniques of Develop Capabilities (4)

ID	Название
.001	Malware
.002	Сертификаты подписи кода
.003	Цифровые сертификаты
.004	Эксплойты

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. Prior to Code Signing, adversaries may develop self-signed code signing certificates for use in operations.

ID: T1587.002

Относится к технике: T1587

Тактика(-и): Resource Development

Платформы: PRE

Источники данных: Malware Repository: Malware Metadata

Версия: 1.1

Дата создания: 01 Oct 2020

Последнее изменение: 17 Oct 2021

Название	Описание
Примеры процедур
PROMETHIUM	PROMETHIUM has created self-signed certificates to sign malicious installers.(Citation: Bitdefender StrongPity June 2020)
Patchwork	Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.(Citation: Unit 42 BackConfig May 2020)

Контрмера	Описание
Контрмеры
Pre-compromise	This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Обнаружение

Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.

Ссылки

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.