DET0230: Detect Suspicious or Malicious Code Signing Abuse
DET0230 is a detection strategy for suspicious or malicious abuse of code signing, linked by ATT&CK to Code Signing (T1553.002). The business issue is trus...
Analyst context for executives and security teams
DET0230 is a detection strategy for suspicious or malicious abuse of code signing, linked by ATT&CK to Code Signing (T1553.002). The business issue is trust: signed software is often treated as safer by users, operating systems, and security controls. If an adversary creates, acquires, or steals signing materials, malicious tools may appear more legitimate and complicate response decisions.
Executive priority
Security leaders should treat code-signing abuse as an integrity and trust-control problem, not only a malware problem. Priority questions include: who owns certificate governance, how quickly can suspicious signed binaries be investigated, and whether incident response can distinguish trusted internal signing from acquired, stolen, or unusual certificates. This matters for resilience, audit evidence, and control prioritization on Windows and macOS environments associated with the related ATT&CK technique.
Technical view
The supplied detection strategy has no official MITRE detection text and no platforms specified on the strategy itself. The relationship ties it to T1553.002, Code Signing, under defense-impairment, with related platforms macOS and Windows. SOC and detection teams should validate whether they can inspect executable signing metadata, certificate chains, signer identity, signing timestamps, reputation or prevalence of signed files, and deviations from approved enterprise signing patterns. IR teams should be ready to preserve signed binaries and certificate details during triage so trust decisions are evidence-based rather than assumed from the presence of a valid signature.
Likely telemetry
- Executable and script file metadata, including signer, certificate chain, signing timestamp, and signature validity
- Endpoint process execution and file creation events for signed binaries
- Security tool alerts or inventory records that include code-signing attributes
- Certificate inventory or allowlist records for approved internal and third-party signers
- macOS and Windows endpoint telemetry where the related technique is in scope
Detection direction
- Confirm that detections do not treat a valid signature as inherently benign; signed files still need behavioral and contextual review.
- Baseline approved enterprise and trusted third-party signers, then look for unusual signers, rare certificates, unexpected paths, or signed binaries appearing outside normal deployment channels.
- Tune for false positives from legitimate software updates, developer tooling, and newly introduced vendor certificates.
- Correlate signing metadata with process behavior, file origin, prevalence, and deployment context rather than alerting on signature state alone.
- Because the ATT&CK strategy provides no official detection logic, require local validation with representative endpoint telemetry and known-good software distribution patterns.
Mitigation priorities
- Establish ownership and inventory for enterprise code-signing certificates and approved signers.
- Protect signing materials with strong access control and operational separation appropriate to their trust value.
- Define incident response procedures for suspicious signed binaries, including certificate capture, signer review, and revocation or containment decision paths where applicable.
- Review endpoint and application-control policies to ensure signed status is not the only trust criterion.
- Maintain audit-ready evidence of certificate governance, approved signer baselines, and investigation procedures for signed-code anomalies.
Analyst notes and limits
This take is based on the ATT&CK detection strategy metadata and its relationship to T1553.002 Code Signing. The decision value is strongest where organizations rely on signed software trust, endpoint allowlisting, software distribution controls, or certificate governance.
The detection strategy object has no official description, no official detection guidance, no tactics, and no platforms specified. Platform context is only available from the related technique, which lists macOS and Windows. Local telemetry, certificate inventories, and software deployment practices are required to determine actual coverage.
Detect Suspicious or Malicious Code Signing Abuse
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.002 | Code Signing Sub-technique | This object detects Code Signing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 16b1795e9dfc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0230Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.