MITRE ATT&CK Technique
Defense Evasion T1553.002
Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Supported Platforms
macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-02-05T16:27:37.784Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may create, acquire, or steal code signing '
                'materials to sign their malware or tools. Code signing '
                'provides a level of authenticity on a binary from the '
                'developer and a guarantee that the binary has not been '
                'tampered with. (Citation: Wikipedia Code Signing) The '
                'certificates used during an operation may be created, '
                'acquired, or stolen by the adversary. (Citation: Securelist '
                'Digital Certificates) (Citation: Symantec Digital '
                'Certificates) Unlike [Invalid Code '
                'Signature](https://attack.mitre.org/techniques/T1036/001), '
                'this activity will result in a valid signature.\n'
                '\n'
                'Code signing to verify software on first run can be used on '
                'modern Windows and macOS systems. It is not used on Linux due '
                'to the decentralized nature of the platform. (Citation: '
                'Wikipedia Code Signing)(Citation: '
                'EclecticLightChecksonEXECodeSigning)\n'
                '\n'
                'Code signing certificates may be used to bypass security '
                'policies that require signed code to execute on a system. ',
 'external_references': [{'external_id': 'T1553.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1553/002'},
                         {'description': 'Howard Oakley. (2020, November 16). '
                                         'Checks on executable code in '
                                         'Catalina and Big Sur: a first draft. '
                                         'Retrieved September 21, 2022.',
                          'source_name': 'EclecticLightChecksonEXECodeSigning',
                          'url': 'https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/'},
                         {'description': 'Ladikov, A. (2015, January 29). Why '
                                         'You Shouldn’t Completely Trust Files '
                                         'Signed with Digital Certificates. '
                                         'Retrieved March 31, 2016.',
                          'source_name': 'Securelist Digital Certificates',
                          'url': 'https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/'},
                         {'description': 'Shinotsuka, H. (2013, February 22). '
                                         'How Attackers Steal Private Keys '
                                         'from Digital Certificates. Retrieved '
                                         'March 31, 2016.',
                          'source_name': 'Symantec Digital Certificates',
                          'url': 'http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates'},
                         {'description': 'Wikipedia. (2015, November 10). Code '
                                         'Signing. Retrieved March 31, 2016.',
                          'source_name': 'Wikipedia Code Signing',
                          'url': 'https://en.wikipedia.org/wiki/Code_signing'}],
 'id': 'attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:37.098Z',
 'name': 'Code Signing',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['macOS', 'Windows'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (26)
LuminousMoth
High
Medusa Group
High
Wizard Spider
High
FIN7
High
OilRig
High
View All 26 Actors
Back to TTPs
Dashboard About