Esc
Invalid Code Signature - T1036.001
(ATT&CK® Technique)
Definition
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1036001["Invalid Code Signature"] --> |creates| ExecutableBinary["Executable Binary"]; class T1036001 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1036001 href "/offensive-technique/attack/T1036.001/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1036001["Invalid Code Signature"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1036001["Invalid Code Signature"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1036001["Invalid Code Signature"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
FileEncryption["File Encryption"] -.->
| may-harden | T1036001["Invalid Code Signature"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1036001["Invalid Code Signature"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; FileEviction["File Eviction"] -->
| deletes | ExecutableBinary["Executable Binary"];
FileEviction["File Eviction"] -.->
| may-evict | T1036001["Invalid Code Signature"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1036001["Invalid Code Signature"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
RestoreFile["Restore File"] -.->
| may-restore | T1036001["Invalid Code Signature"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1036001["Invalid Code Signature"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1036001["Invalid Code Signature"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableBinary["Executable Binary"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1036001["Invalid Code Signature"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1036001["Invalid Code Signature"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";