Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0643: Analytic 0643

Detects execution of binaries signed with unusual or recently issued certificates, correlation of process execution with abnormal publisher metadata, and mismatched certificate chains. Monitors for revoked or unknown code signing certificates used in high-privilege contexts.

EnterpriseAN0643AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0643 is a Windows detection analytic focused on whether executed binaries are signed in ways that should not be trusted at face value: unusual or newly issued signing certificates, abnormal publisher metadata, mismatched certificate chains, and revoked or unknown certificates, especially when the process runs with high privileges. For leaders, the decision value is validating that code signing is being checked as an operational trust signal, not treated as automatic proof that software is safe.

Executive priority

Prioritize this analytic where Windows endpoints, privileged administration, regulated audit evidence, or incident response confidence depend on knowing which signed code executed. The business question is whether the organization can distinguish expected signed software from suspicious signed binaries quickly enough to support containment, software trust decisions, and post-incident reporting. This is also relevant to control assurance: certificate reputation, revocation awareness, and publisher validation can expose gaps in endpoint telemetry, software inventory, and SOC triage quality.

Technical view

SOC and detection teams should validate whether Windows process execution events are enriched with signature status, certificate issuer/subject, publisher metadata, certificate chain details, issue date, and revocation or unknown-certificate indicators. Because no ATT&CK tactic or relationship context is supplied, this analytic should be treated as a cross-cutting Windows detection quality check rather than mapped to a specific adversary phase. IR teams should test whether high-privilege process executions can be correlated with certificate anomalies and whether analysts can compare publisher metadata against known-good enterprise software baselines.

Likely telemetry

  • Windows process execution telemetry
  • Code-signing certificate metadata for executed binaries
  • Publisher name and file signature status
  • Certificate chain validation results
  • Certificate issue date and certificate age

Detection direction

  • Validate that process execution logs include or can be enriched with code-signing and certificate-chain details; basic process names alone are insufficient.
  • Tune for unusual, recently issued, revoked, unknown, or mismatched certificates, with higher priority when execution occurs in high-privilege contexts.
  • Baseline common enterprise publishers and approved software to reduce false positives from legitimate software updates, internal signing, and newly deployed applications.
  • Review blind spots where endpoint tools record execution but not certificate metadata, where revocation checks are unavailable, or where offline systems cannot validate certificate status.
  • Use this analytic as an investigative signal rather than a standalone verdict; signed code can be legitimate or suspicious depending on publisher, chain, timing, privilege, and local environment context.

Mitigation priorities

  • Maintain an approved software and trusted publisher baseline for Windows environments.
  • Ensure endpoint and SOC pipelines preserve certificate metadata and signature validation results for executed binaries.
  • Define triage procedures for revoked, unknown, recently issued, or mismatched signing certificates, especially for privileged process execution.
  • Review administrative execution paths and high-privilege software deployment practices so certificate anomalies are not ignored during routine operations.
  • Use findings to support compliance evidence around software trust, endpoint monitoring, and incident response readiness where applicable.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and no relationships, tactics, or official detection logic are provided. The strongest use is to assess whether defenders can operationalize code-signing trust signals in Windows process monitoring and triage.

This take is limited to the official fields supplied for AN0643. It does not establish active exploitation, adversary attribution, specific ATT&CK tactic coverage, guaranteed detectability, or relevance beyond Windows. Local baselines and telemetry quality are required to determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0643

Detects execution of binaries signed with unusual or recently issued certificates, correlation of process execution with abnormal publisher metadata, and mismatched certificate chains. Monitors for revoked or unknown code signing certificates used in high-privilege contexts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e45ccbf45a44149e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e45ccbf45a44…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0643
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use