Detailedseverity: Very HighDraft

CAPEC-206Signing Malicious Code

Abstraction
Detailed
Status
Draft
Severity
Very High

Description

The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.

Related weaknesses· 1

CWE-732

MITRE ATT&CK crosswalk· 1

T1553.002: Subvert Trust Controls:Code Signing

Related attack patterns· 1

CAPEC-444 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessIncorrect Permission Assignment for Critical Resourcecwe-732100%live

Related to1

TypeTargetConfidenceTier
SubTechniqueCode Signingt1553.002100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Developer Signing Maliciously Altered Software
CAPEC
Subvert Code-signing Facilities
CAPEC
Signature Spoofing by Misrepresentation
Sub-technique
Code Signing
Sub-technique
Code Signing Certificates
CAPEC
Signature Spoofing by Key Theft
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.