Short-lived ephemeral code signing certificates

Hunt Hypothesis

Adversaries may use short-lived ephemeral code signing certificates to sign malicious payloads, bypassing traditional certificate validation mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential Malware-Signing-as-a-Service (MSaS) campaigns that evade long-term certificate monitoring.

KQL Query

// --- ADAPTATION GUIDE ---
// 1. EphemeralThreshold: 14 days is the 'anomalous zone'. Values over 30d may lead to higher false positives.
// 2. DevSoftwareKeywords: Add internal dev tools (e.g., 'Jenkins', 'TeamCity') to reduce noise.
// 3. devDeviceTags: Add internal dev device group name to reduce noise.
// 4. ExcludedIssuers: Add your organization's internal CA name here to prevent false positives.

let ephemeralThreshold = 14d;
let lookback = 7d;
let devSoftwareKeywords = dynamic(["Visual Studio", "IntelliJ", "Jenkins", "GitHub", "Git", "Kubernetes", "Docker", "Sublime"]);
let devDeviceTags = dynamic(["Engineering", "Dev-Workstation", "Build-Server"]);
let excludedIssuers = dynamic(["Internal-CA-Example", "Local-Admin-Signer"]);

// Step 1: Create a lookup table of developer assets likely to use legitimate short-lived certificates via Software and Device Tags
let devAssets = (
  DeviceTvmSoftwareInventory
  | where SoftwareName has_any (devSoftwareKeywords)
  | summarize by DeviceId
  | union (
    DeviceInfo
    | where Timestamp >= ago(lookback)
    | where RegistryDeviceTag has_any (devDeviceTags) 
      // Optional table if used: or DeviceDynamicTags has_any (devDeviceTags) 
      // Optional table if used: or DeviceManualTags has_any (devDeviceTags)
    | summarize by DeviceId
  )
  | summarize by DeviceId
);

// Step 2: Identify certificates within the 14-day anomalous window
DeviceFileCertificateInfo
| extend TotalLifespan = CertificateExpirationTime - CertificateCreationTime
| where TotalLifespan <= ephemeralThreshold and TotalLifespan > 0d
| where isnotempty(Issuer) and not(Issuer has_any (excludedIssuers))

// Step 3: Remove known dev machines to surface anomalies on standard user endpoints
| join kind=leftanti (devAssets) on DeviceId

// Step 4: Enrich with the latest machine details
| join kind=inner (
    DeviceInfo 
    | where Timestamp >= ago(lookback)
    | summarize arg_max(Timestamp, *) by DeviceId
  ) on DeviceId
| project 
    Timestamp, 
    DeviceName,
    DeviceId,
    PublicIP, 
    LoggedOnUsers,
    SHA1,
    Signer,
    Issuer, 
    IsTrusted,
    TotalLifespan, 
    CertificateCreationTime, 
    CertificateExpirationTime

Analytic Rule Definition

id: e920899f-edf0-446c-bb13-effbaf61b27b
name: Short-lived ephemeral code signing certificates
description: |
  Identifies files signed by certificates with a lifespan <= 14 days on non-developer endpoints. While legitimate software certs last 1+ years, ephemeral certs indicate Malware-Signing-as-a-Service (MSaaS) abuse to evade reputation-based controls.

description-detailed: |
  Commercial software is typically signed with certificates valid for 1 to 3 years. Ephemeral (short-lived) certificates are legitimately used in automated DevOps pipelines (e.g., Azure Artifact Signing). However, threat actors like Fox Tempest operate Malware-Signing-as-a-Service (MSaaS) to generate 72-hour to 14-day certificates for malicious payloads. Finding these short-lived certificates in a non-developer environment is a high-fidelity indicator of evasion, as it allows malware to bypass SmartScreen and EDR reputation filters before the certificate can be revoked.
  References:
  - https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/
  - https://learn.microsoft.com/en-us/azure/artifact-signing/overview


requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceFileCertificateInfo
      - DeviceInfo
      - DeviceTvmSoftwareInventory
tactics:
  - DefenseEvasion
  - ResourceDevelopment
relevantTechniques:
  - T1553.002
  - T1588.003
tags:
  - FoxTempest
query: |
  // --- ADAPTATION GUIDE ---
  // 1. EphemeralThreshold: 14 days is the 'anomalous zone'. Values over 30d may lead to higher false positives.
  // 2. DevSoftwareKeywords: Add internal dev tools (e.g., 'Jenkins', 'TeamCity') to reduce noise.
  // 3. devDeviceTags: Add internal dev device group name to reduce noise.
  // 4. ExcludedIssuers: Add your organization's internal CA name here to prevent false positives.

  let ephemeralThreshold = 14d;
  let lookback = 7d;
  let devSoftwareKeywords = dynamic(["Visual Studio", "IntelliJ", "Jenkins", "GitHub", "Git", "Kubernetes", "Docker", "Sublime"]);
  let devDeviceTags = dynamic(["Engineering", "Dev-Workstation", "Build-Server"]);
  let excludedIssuers = dynamic(["Internal-CA-Example", "Local-Admin-Signer"]);

  // Step 1: Create a lookup table of developer assets likely to use legitimate short-lived certificates via Software and Device Tags
  let devAssets = (
    DeviceTvmSoftwareInventory
    | where SoftwareName has_any (devSoftwareKeywords)
    | summarize by DeviceId
    | union (
      DeviceInfo
      | where Timestamp >= ago(lookback)
      | where RegistryDeviceTag has_any (devDeviceTags) 
        // Optional table if used: or DeviceDynamicTags has_any (devDeviceTags) 
        // Optional table if used: or DeviceManualTags has_any (devDeviceTags)
      | summarize by DeviceId
    )
    | summarize by DeviceId
  );

  // Step 2: Identify certificates within the 14-day anomalous window
  DeviceFileCertificateInfo
  | extend TotalLifespan = CertificateExpirat

MITRE ATT&CK Context

• Tactic: DefenseEvasion
• Tactic: ResourceDevelopment
• Technique: T1553.002 — T1553.002
• Technique: T1588.003 — T1588.003

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Defense evasion/Short-livedEphemeralCodeSigningCertificates.yaml)

False Positive Guidance

• Scenario: Scheduled System Maintenance Job Signing
  Description: A legitimate system maintenance script or job (e.g., Task Scheduler job or Windows Update task) is signed using a short-lived certificate for temporary access control or internal testing.
  Filter/Exclusion: Exclude files signed by certificates associated with Task Scheduler, Windows Update, or Group Policy management tools. Example filter: process.name != "schtasks.exe" && process.name != "wuauclt.exe"

• Scenario: Internal Code Signing for CI/CD Pipelines
  Description: A developer or DevOps team uses a short-lived certificate to sign binaries during a CI/CD pipeline (e.g., Jenkins, GitHub Actions) for internal testing or deployment.
  Filter/Exclusion: Exclude files signed by certificates issued by internal CI/CD tools like Jenkins, GitHub Actions, or Azure DevOps. Example filter: process.name contains "jenkins" || process.name contains "github-actions"

• Scenario: Temporary Certificate for Admin Tools
  Description: An admin uses a short-lived certificate to sign a temporary administrative tool (e.g., PsExec, PowerShell script) for one-time use in a restricted environment.
  Filter/Exclusion: Exclude files signed by certificates associated with administrative tools like PsExec, PowerShell, or WMIC. Example filter: process.name contains "psexec" || process.name contains "powershell"

• Scenario: Certificate Rotation for Internal Services
  Description: An internal service (e.g., SQL Server, IIS, or Active Directory) rotates its code signing certificate every 14 days as part of a security policy.
  Filter/Exclusion: Exclude files signed by certificates associated with internal services like SQL Server, IIS, or `Active Directory