What Changed
Added hunting query targeting ephemeral code-signing certificates used by Malware-Signing-as-a-Service (MSaaS) operations like Fox Tempest.
Detection Logic
The query correlates endpoint certificate data from DeviceFileCertificateInfo with device inventory:
- Primary data source: DeviceFileCertificateInfo (certificate metadata), DeviceInfo (device context), DeviceTvmSoftwareInventory (software inventory)
- Core logic: Identifies certificates with lifespan ≤14 days on non-developer endpoints
- Exclusion mechanism: Filters out legitimate developer workstations using software keywords (Visual Studio, Jenkins, Git) and device tags
- Entity mappings: Host (DeviceName), IP (PublicIP), FileHash (SHA1)
Uses timespan arithmetic (CertificateExpirationTime - CertificateCreationTime) to calculate certificate lifetime and applies dual-method exclusion to reduce false positives from legitimate DevOps pipelines.
Detection Surface Unlocked
Targets advanced evasion techniques where threat actors:
- Use stolen identities to abuse legitimate platforms (Microsoft Trusted Signing)
- Generate 72-hour to 14-day certificates for malware payloads
- Bypass SmartScreen and EDR reputation filters before certificate revocation
- Enable malware families (Oyster, Lumma, Rhysida ransomware) to appear legitimate
Provides behavioral detection based on certificate lifespan anomaly rather than reactive IOCs, making it resilient against future MSaaS operators.
MITRE Coverage
- T1553.002: Subvert Trust Controls: Code Signing (certificate abuse)
- T1588.003: Obtain Capabilities: Code Signing Certificates (acquisition of signing capability)
Implementation Notes
Query includes extensive adaptation guidance for customizing thresholds, adding organization-specific development tools to exclusion lists, and handling internal CA certificates to minimize false positives in production environments.
Affected Files
Hunting Queries/Microsoft 365 Defender/Defense evasion/Short-livedEphemeralCodeSigningCertificates.yaml