Bypass Record
Code-Signing Abuse × Microsoft Windows operating systems with WinVerifyTrust
A publicly-reported instance of Code-Signing Abuse bypassing Microsoft Windows operating systems with WinVerifyTrust, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
WinVerifyTrust improperly handles the WIN_CERTIFICATE structure in PE files. By adding extra data to the certificate table, an attacker can include malicious content that is not covered by the signature check, yet the file still passes validation. This defeats security products that trust Authenticode signatures for allowlisting or malware detection.
Detection & mitigation
Monitor for PE files with appended data after the signature block using tools like sigcheck with -a flag or YARA rules that detect anomalous certificate table sizes. Enforce strict validation policies that reject files with malformed or non-standard certificate structures, and consider using multiple integrity checks beyond Authenticode alone.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.