MITRE ATT&CK Technique
Description
Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries (Citation: Janicab). The certificates used during an operation may be created, forged, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:26.474Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Code signing provides a level of authenticity on a binary '
'from the developer and a guarantee that the binary has not '
'been tampered with. (Citation: Wikipedia Code Signing) '
'However, adversaries are known to use code signing '
'certificates to masquerade malware and tools as legitimate '
'binaries (Citation: Janicab). The certificates used during an '
'operation may be created, forged, or stolen by the adversary. '
'(Citation: Securelist Digital Certificates) (Citation: '
'Symantec Digital Certificates)\n'
'\n'
'Code signing to verify software on first run can be used on '
'modern Windows and macOS/OS X systems. It is not used on '
'Linux due to the decentralized nature of the platform. '
'(Citation: Wikipedia Code Signing)\n'
'\n'
'Code signing certificates may be used to bypass security '
'policies that require signed code to execute on a system.',
'external_references': [{'external_id': 'T1116',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1116'},
{'description': 'Wikipedia. (2015, November 10). Code '
'Signing. Retrieved March 31, 2016.',
'source_name': 'Wikipedia Code Signing',
'url': 'https://en.wikipedia.org/wiki/Code_signing'},
{'description': 'Thomas. (2013, July 15). New signed '
'malware called Janicab. Retrieved '
'July 17, 2017.',
'source_name': 'Janicab',
'url': 'http://www.thesafemac.com/new-signed-malware-called-janicab/'},
{'description': 'Ladikov, A. (2015, January 29). Why '
'You Shouldn’t Completely Trust Files '
'Signed with Digital Certificates. '
'Retrieved March 31, 2016.',
'source_name': 'Securelist Digital Certificates',
'url': 'https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/'},
{'description': 'Shinotsuka, H. (2013, February 22). '
'How Attackers Steal Private Keys '
'from Digital Certificates. Retrieved '
'March 31, 2016.',
'source_name': 'Symantec Digital Certificates',
'url': 'http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates'}],
'id': 'attack-pattern--1b84d551-6de8-4b96-9930-d177677c3b1d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:28.518Z',
'name': 'Code Signing',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS', 'Windows'],
'x_mitre_version': '1.1'}