mgeeky-Penetration-Testing-.../red-teaming/Self-Signed Threat/README.md
Mariusz B. / mgeeky 143263a1c8 readme
2022-07-13 23:03:45 +02:00

1.5 KiB

Code Signing Certificate Cloning Attack

A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.

Script was shamelessly borrowed from Matt Graeber, @mattifestation and his research titled:

All credits go to Matt - this directory contains a copy of his code (bit tweaked by me) for preserverance purposes.

Effectiveness

As of 13/07/2022 this dumb trick still gets off the shelf malware evade detection of at least 8 modern security scanners.

What Result
Mythic Apollo.exe before fake-signing 30/70
Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate 22/70

Usage

PS C:\> . .\Sign-Artifact.ps1
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose