Attack Delivered via Legitimately Signed Update

The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.

Signals

•Malicious artifact passes Authenticode / Cosign / notarization verification cleanly
•EDR reputation services rate the artifact as unknown or low-prevalence despite the valid signature
•Artifact publishes abnormal telemetry (outbound C2, credential access, persistence) relative to expected vendor behavior

Pivot Actions

1.Configure EDR policies to treat unknown-prevalence signed binaries as restricted, not allowed-by-default, at least for affected vendor signing certificates
2.Add short-term signing-certificate-specific block rules that cover the compromised release window while the vendor rotates keys
3.Hunt by behavior rather than hash: atypical child processes, unusual persistence, outbound network to non-vendor domains
4.Coordinate with the vendor and CA to revoke affected signing material and publish CRL updates

Alternate Evidence Sources

•EDR behavioral telemetry (process trees, file events, network events) during the suspected compromise window
•Certificate Transparency logs and CA revocation records for signing-material timeline
•Vendor-published clean-build hashes (if available) for positive allowlist enforcement

Related Procedures

Scope a Supply-Chain Compromise

triage

Roll Back and Block the Compromised Release

contain

Comprehensive Persistence Mechanism Sweep

eradicate