mgeeky-Penetration-Testing-.../red-teaming/Self-Signed Threat/README.md

## Code Signing Certificate Cloning Attack 

A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.

Script was shamelessly borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his research titled:
- [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) 

**All credits go to Matt** - this directory contains a copy of his code (_a little tweaked by me_) for preserverance purposes.


### Effectiveness

As of [13/07/2022](https://twitter.com/mariuszbit/status/1547320418821980160) this **dumb trick** still gets off the shelf malware evade detection of at least 8 modern security scanners.

| What                                                                         | Result    |
|------------------------------------------------------------------------------|-----------|
| Mythic Apollo.exe before fake-signing                                        | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |

### Usage

```
PS C:\> . .\Sign-Artifact.ps1
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
```
readme 2022-07-13 23:02:05 +02:00			`## Code Signing Certificate Cloning Attack`
added self-signed threat 2022-07-13 22:39:40 +02:00
readme 2022-07-13 23:02:42 +02:00			`A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.`
added self-signed threat 2022-07-13 22:39:40 +02:00
readme 2022-07-13 23:00:40 +02:00			`Script was shamelessly borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his research titled:`
			`- [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)`

readme 2022-07-13 23:04:04 +02:00			`All credits go to Matt - this directory contains a copy of his code (_a little tweaked by me_) for preserverance purposes.`
added self-signed threat 2022-07-13 22:44:46 +02:00
added self-signed threat 2022-07-13 22:39:40 +02:00
added self-signed threat 2022-07-13 22:44:46 +02:00			`### Effectiveness`

readme 2022-07-13 23:01:17 +02:00			`As of [13/07/2022](https://twitter.com/mariuszbit/status/1547320418821980160) this dumb trick still gets off the shelf malware evade detection of at least 8 modern security scanners.`
added self-signed threat 2022-07-13 22:39:40 +02:00
			`\| What \| Result \|`
			`\|------------------------------------------------------------------------------\|-----------\|`
			`\| Mythic Apollo.exe before fake-signing \| [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) \|`
			`\| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate \| [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) \|`

			`### Usage`

			```
			`PS C:\> . .\Sign-Artifact.ps1`
			`PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose`
			```