I see, I understood from the text that stuffing data on certificate padding was a legitimate feature of Authenticode but it is actually a legacy behavior that should not be relied on.
December 17, 2025 at 7:33 PM
I see, I understood from the text that stuffing data on certificate padding was a legitimate feature of Authenticode but it is actually a legacy behavior that should not be relied on.
Adobe tries to cheat Authenticode, which can result in additional blocks and security warnings.
textslashplain.com/2024/11/15/b...
textslashplain.com/2024/11/15/b...
December 17, 2025 at 7:01 PM
Adobe tries to cheat Authenticode, which can result in additional blocks and security warnings.
textslashplain.com/2024/11/15/b...
textslashplain.com/2024/11/15/b...
As far as I can tell, MD5 is still considered totes valid for Authenticode digests.
December 4, 2025 at 12:09 AM
As far as I can tell, MD5 is still considered totes valid for Authenticode digests.
Is that the equivalent of an authenticode cert? And did you still need to purchase that cert and then install it? (Will read the code to attempt to answer my own questions, but being lazy)
November 28, 2025 at 10:54 PM
Is that the equivalent of an authenticode cert? And did you still need to purchase that cert and then install it? (Will read the code to attempt to answer my own questions, but being lazy)
But, CABs themselves are Authenticode signable. We do that for external MSI CABs.
Tip: one shouldn’t add to your MSI that the CABs are signed. This slows down install a lot and doesn’t serve any good purpose.
Tip: one shouldn’t add to your MSI that the CABs are signed. This slows down install a lot and doesn’t serve any good purpose.
October 21, 2025 at 2:44 AM
But, CABs themselves are Authenticode signable. We do that for external MSI CABs.
Tip: one shouldn’t add to your MSI that the CABs are signed. This slows down install a lot and doesn’t serve any good purpose.
Tip: one shouldn’t add to your MSI that the CABs are signed. This slows down install a lot and doesn’t serve any good purpose.
To be Authenticode singable without writing and deploying your own SIP, use the Open Document Convention, which use, sadly, CABs. That’s what I ended up doing for the “new” VSSetup engine for that very reason.
October 21, 2025 at 12:57 AM
To be Authenticode singable without writing and deploying your own SIP, use the Open Document Convention, which use, sadly, CABs. That’s what I ended up doing for the “new” VSSetup engine for that very reason.
Take any dotnet program, for instance, drop .config files into the app directory, and watch the fireworks happen. Config files are executable equivalents in the dotnet world. Trusted .exe + malicious .config = attacker code running, and it even passes all the Authenticode checks!
September 17, 2025 at 11:40 PM
Take any dotnet program, for instance, drop .config files into the app directory, and watch the fireworks happen. Config files are executable equivalents in the dotnet world. Trusted .exe + malicious .config = attacker code running, and it even passes all the Authenticode checks!
Here’s a safe, concrete mini‑lab you can run now: on Windows x64 with MSVC build a tiny Release console app using /GL /GS /sdl /guard:cf /Oi /Gy and link with /OPT:REF,ICF; export only what’s necessary, keep PDBs off the shipped binary, minimize RTTI, Authenticode‑sign it (e.g., signtool sign /fd...
September 7, 2025 at 10:53 PM
Here’s a safe, concrete mini‑lab you can run now: on Windows x64 with MSVC build a tiny Release console app using /GL /GS /sdl /guard:cf /Oi /Gy and link with /OPT:REF,ICF; export only what’s necessary, keep PDBs off the shipped binary, minimize RTTI, Authenticode‑sign it (e.g., signtool sign /fd...
[RSS] Investigating a Mysteriously Malformed Authenticode Signature -- Elastic Security Labs
www.elastic.co ->
Original->
www.elastic.co ->
Original->
September 5, 2025 at 6:16 AM
[RSS] Investigating a Mysteriously Malformed Authenticode Signature -- Elastic Security Labs
www.elastic.co ->
Original->
www.elastic.co ->
Original->
Elastic Security Labs solved a rare case: a malformed Authenticode signature caused by Microsoft’s legacy heuristics.
The issue? A false positive marker collision broke validation.
💡 Lesson: Always validate signatures in CI/CD and know that legacy detection logic can still trip you up.
The issue? A false positive marker collision broke validation.
💡 Lesson: Always validate signatures in CI/CD and know that legacy detection logic can still trip you up.
September 4, 2025 at 2:42 PM
Elastic Security Labs solved a rare case: a malformed Authenticode signature caused by Microsoft’s legacy heuristics.
The issue? A false positive marker collision broke validation.
💡 Lesson: Always validate signatures in CI/CD and know that legacy detection logic can still trip you up.
The issue? A false positive marker collision broke validation.
💡 Lesson: Always validate signatures in CI/CD and know that legacy detection logic can still trip you up.
Investigating a Mysteriously Malformed Authenticode Signature
Investigating a Mysteriously Malformed Authenticode Signature
www.elastic.co
September 3, 2025 at 8:39 PM
Investigating a Mysteriously Malformed Authenticode Signature
> ActiveX security model relied almost entirely on identifying trusted component developers using a code signing technology called Authenticode. Developers had to register with Verisign (US$20 per year for individuals, $400 for corporations) and sign a contract, promising not to develop malware.
September 3, 2025 at 2:53 AM
> ActiveX security model relied almost entirely on identifying trusted component developers using a code signing technology called Authenticode. Developers had to register with Verisign (US$20 per year for individuals, $400 for corporations) and sign a contract, promising not to develop malware.
~Elastic~
Windows can incorrectly flag signed binaries as malformed due to a decade-old heuristic that scans for hardcoded 'invalid markers' within the signature block.
-
IOCs: (None identified)
-
#Authenticode #ThreatIntel #Windows
Windows can incorrectly flag signed binaries as malformed due to a decade-old heuristic that scans for hardcoded 'invalid markers' within the signature block.
-
IOCs: (None identified)
-
#Authenticode #ThreatIntel #Windows
Investigating Malformed Authenticode Signatures
www.elastic.co
September 2, 2025 at 8:04 PM
~Elastic~
Windows can incorrectly flag signed binaries as malformed due to a decade-old heuristic that scans for hardcoded 'invalid markers' within the signature block.
-
IOCs: (None identified)
-
#Authenticode #ThreatIntel #Windows
Windows can incorrectly flag signed binaries as malformed due to a decade-old heuristic that scans for hardcoded 'invalid markers' within the signature block.
-
IOCs: (None identified)
-
#Authenticode #ThreatIntel #Windows
This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Impostor Certificates
It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…
squiblydoo.blog
August 31, 2025 at 7:48 PM
This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Spottycat Industries auditing services hereby attests that TC Fox is using key vault properly. MS plz gib TC authenticode cert
furry.im
August 17, 2025 at 5:49 AM
Spottycat Industries auditing services hereby attests that TC Fox is using key vault properly. MS plz gib TC authenticode cert
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
August 15, 2025 at 4:15 AM
With Authenticode & CA/B Forum–compliant code signing, intent ≠ immunity.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
The Baseline Requirements define revocation conditions based on use in the wild, not the developer’s intent.
Ship signed code? Design it to resist abuse — attackers can weaponize your trust, and your cert can be pulled.
Understanding Windows Authenticode signing: the digital signature does not cover every byte in the file.
learn.microsoft.com/en-us/window...
learn.microsoft.com/en-us/window...
Understanding Executable File Signing - Win32 apps
Notes about the use of Authenticode signing of executable files
learn.microsoft.com
August 13, 2025 at 3:50 PM
Understanding Windows Authenticode signing: the digital signature does not cover every byte in the file.
learn.microsoft.com/en-us/window...
learn.microsoft.com/en-us/window...
the good thing about lenovo's support downloads is that they actually provide file hashes
the bad thing about them is that this is somehow the second time the uefi firmware updater has a valid authenticode signature and all but not matching the listed hashes?
the bad thing about them is that this is somehow the second time the uefi firmware updater has a valid authenticode signature and all but not matching the listed hashes?
July 29, 2025 at 11:59 AM
the good thing about lenovo's support downloads is that they actually provide file hashes
the bad thing about them is that this is somehow the second time the uefi firmware updater has a valid authenticode signature and all but not matching the listed hashes?
the bad thing about them is that this is somehow the second time the uefi firmware updater has a valid authenticode signature and all but not matching the listed hashes?
Notícia da BleepingComputer
"Hackers turn ScreenConnect into malware using Authenticode stuffing" #bolhasec
"Hackers turn ScreenConnect into malware using Authenticode stuffing" #bolhasec
Hackers turn ScreenConnect into malware using Authenticode stuffing
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature.
www.bleepingcomputer.com
July 17, 2025 at 12:30 PM
Notícia da BleepingComputer
"Hackers turn ScreenConnect into malware using Authenticode stuffing" #bolhasec
"Hackers turn ScreenConnect into malware using Authenticode stuffing" #bolhasec
Simon Tatham explaining putty dot org is not the home of PuTTY
July 13, 2025 at 2:47 PM
Simon Tatham explaining putty dot org is not the home of PuTTY
🚨 Hackers exploit ConnectWise ScreenConnect! Using "authenticode stuffing," attackers craft signed malware, making it look legit. Phishing campaigns spread trojanized clients via fake PDFs & Canva links. Download only from official sources! #CyberSecurity #Malware snip.ly/8koygl
Hackers Exploit ConnectWise ScreenConnect Installers to Deploy Signed Remote Access Malware
Initial evidence of these attacks surfaced on the BleepingComputer forums, where victims shared reports of infections following phishing lures.
snip.ly
July 3, 2025 at 3:18 PM
🚨 Hackers exploit ConnectWise ScreenConnect! Using "authenticode stuffing," attackers craft signed malware, making it look legit. Phishing campaigns spread trojanized clients via fake PDFs & Canva links. Download only from official sources! #CyberSecurity #Malware snip.ly/8koygl
Luckily you don’t need to use the Authenticode cmdlets, you can use the same signtool instructions for pwsh scripts as it all goes into the same thing. The ultimate issue is the cost and how to integrate your workflows.
July 2, 2025 at 6:12 PM
Luckily you don’t need to use the Authenticode cmdlets, you can use the same signtool instructions for pwsh scripts as it all goes into the same thing. The ultimate issue is the cost and how to integrate your workflows.
🛠️ Hackers have weaponized #ScreenConnect using Authenticode stuffing. Another trusted tool turned into a threat! zurl.co/bdN6j #SMIT #kyleTX #SMTX #BastropTX #connectWise #NotAgain #zeroTrus
Hackers turn ScreenConnect into malware using Authenticode stuffing
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature.
www.bleepingcomputer.com
July 1, 2025 at 5:47 PM
🛠️ Hackers have weaponized #ScreenConnect using Authenticode stuffing. Another trusted tool turned into a threat! zurl.co/bdN6j #SMIT #kyleTX #SMTX #BastropTX #connectWise #NotAgain #zeroTrus
Nice! That's very similar to what I'm doing. I use AzureSignTool and some other authenticode module for signing the modules.
July 1, 2025 at 4:03 PM
Nice! That's very similar to what I'm doing. I use AzureSignTool and some other authenticode module for signing the modules.