mgeeky-Penetration-Testing-Tools

History

Mariusz B. / mgeeky fc7316a5bb Updated phishing-HTML-linter.py		2022-12-12 23:20:41 +01:00
..
MSKernel32Cloned.pfx	Updated phishing-HTML-linter.py	2022-12-12 23:20:41 +01:00
MSKernel32Leaf.cer	updated certificates in Self-Signed Threat	2022-11-02 04:49:48 +01:00
MSKernel32PCA.cer	added self-signed threat	2022-07-13 22:39:40 +02:00
MSKernel32Root.cer	added self-signed threat	2022-07-13 22:39:40 +02:00
README.md	readme	2022-07-13 23:04:04 +02:00
Sign-Artifact.ps1	added self-signed threat	2022-07-13 22:39:40 +02:00
sigcheck.exe	added self-signed threat	2022-07-13 22:39:40 +02:00
sigcheck64.exe	added self-signed threat	2022-07-13 22:39:40 +02:00

README.md

Code Signing Certificate Cloning Attack

A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.

Script was shamelessly borrowed from Matt Graeber, @mattifestation and his research titled:

Code Signing Certificate Cloning Attacks and Defenses

All credits go to Matt - this directory contains a copy of his code (a little tweaked by me) for preserverance purposes.

Effectiveness

As of 13/07/2022 this dumb trick still gets off the shelf malware evade detection of at least 8 modern security scanners.

What	Result
Mythic Apollo.exe before fake-signing	30/70
Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate	22/70

Usage

PS C:\> . .\Sign-Artifact.ps1
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose