Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1588.003: Code Signing Certificates

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.[1] Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

Prior to Code Signing, adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

EnterpriseT1588.003Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Code signing certificates matter because they can make malicious executables or scripts look more trustworthy to users and security tools. This is a pre-compromise resource-development behavior: adversaries may buy certificates through a front organization, use stolen identity information to obtain them, or steal signing material from a third party before later using code signing in an operation.

Executive priority

Treat code-signing trust as a business-risk control, not only a developer tooling issue. Leaders should ask whether the organization can prove who can request, hold, and use signing certificates; whether compromised or suspicious certificates can be revoked quickly; and whether SOC and incident response teams can investigate signed code without assuming it is safe. This supports resilience, software integrity evidence for audits, supplier-risk decisions, and, for industrial organizations, assurance that trusted software paths are not a blind spot.

Technical view

ATT&CK places this as PRE platform activity under Resource Development and as a sub-technique of Obtain Capabilities. There is no official ATT&CK detection text for this object, but ATT&CK links it to DET0875, Detection of Code Signing Certificates, and to M1056, Pre-compromise mitigation. SOC and IR teams should validate whether signed binaries/scripts are inspected for signer, certificate chain, issuance details, revocation state, and novelty rather than automatically trusted. Detection engineering should connect this pre-compromise behavior to later Code Signing activity where signed payloads appear in the environment.

Likely telemetry

  • Certificate inventory and ownership records for organizational code-signing certificates
  • Certificate issuance, renewal, revocation, and certificate authority records where accessible
  • Code-signing pipeline logs and records of which accounts or systems used signing material
  • Key custody, access, and administrative audit logs for signing infrastructure
  • Endpoint, EDR, application-control, and file-execution telemetry containing signer and certificate metadata

Detection direction

  • Do not treat a valid signature as a clean verdict; validate signer reputation, certificate age, issuing context, revocation status, and whether the signed file is expected in the environment.
  • Baseline legitimate internal and supplier signing certificates so new, unusual, expired, revoked, or mismatched certificates can be reviewed.
  • Tune detections to reduce false positives from normal software updates while preserving alerts for rare signers, unexpected paths, unusual scripts/executables, or signed code appearing outside approved deployment channels.
  • Because the ATT&CK object is PRE and has no official detection text, combine internal telemetry with threat intelligence and certificate governance evidence rather than relying on endpoint alerts alone.
  • Use the relationship context as prioritization evidence: ATT&CK associates this behavior with multiple campaigns, groups, and MegaCortex ransomware, including industrial targeting noted for MegaCortex.

Mitigation priorities

  • Implement M1056-style pre-compromise controls: reduce exposure of information and processes that could help an adversary obtain or impersonate certificate ownership.
  • Centralize ownership, approval, inventory, and periodic review of code-signing certificates and signing material.
  • Restrict and audit access to signing keys and signing systems; separate certificate request authority from day-to-day build or deployment activity where feasible.
  • Prepare revocation and incident response procedures for suspected certificate theft or misuse, including how signed software will be identified and blocked if needed.
  • Require supplier and third-party software assurance evidence for signed code that enters the environment, especially for critical business or industrial operations.
Analyst notes and limits

This technique is strategically important because it attacks trust. The main defensive decision is whether the organization can distinguish legitimate signed software from adversary-prepared signed code and can respond when that trust anchor is abused. Relationship context shows use by several ATT&CK-tracked campaigns, groups, and software, but those relationships should be used for prioritization rather than assumed local exposure.

MITRE provides no official detection text for T1588.003, and the platform is PRE, meaning much of the activity may occur outside enterprise visibility. Local certificate governance, software inventory, endpoint telemetry, supplier records, and threat intelligence are required to assess real coverage.

Official MITRE ATT&CK definition

Code Signing Certificates

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.[1] Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

Prior to Code Signing, adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1588 Obtain Capabilities This object subtechnique of Obtain Capabilities.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

Group Enterprise

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

Group Enterprise

G0098: BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]

Group Enterprise

G0061: FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Group Enterprise

G0027: Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Campaign Enterprise

C0038: HomeLand Justice

HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]

Campaign Enterprise

C0022: Operation Dream Job

Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G0102: Wizard Spider Enterprise uses · Group G0049: OilRig Enterprise uses · Group G0098: BlackTech Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Group G0061: FIN8 Enterprise uses · Malware S0576: MegaCortex Enterprise uses · Group G0129: Mustang Panda Enterprise uses · Campaign C0038: HomeLand Justice Enterprise uses · Campaign C0040: APT41 DUST Enterprise uses · Campaign C0022: Operation Dream Job Enterprise subtechnique of · Technique T1588: Obtain Capabilities Enterprise uses · Group G0027: Threat Group-3390 Enterprise uses · Group G0094: Kimsuky Enterprise detects · Detection Strategy DET0875: Detection of Code Signing Certificates Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
06dac5bc3f8d6c54...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 06dac5bc3f8d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Wikipedia Code Signing

    Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.

    Open source URL
  2. [2]
    mitre-attack T1588.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use