mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 12:01:37 +01:00
.. | ||
MSKernel32Leaf.cer | ||
MSKernel32PCA.cer | ||
MSKernel32Root.cer | ||
README.md | ||
sigcheck64.exe | ||
sigcheck.exe | ||
Sign-Artifact.ps1 |
Code Signing Certificate Cloning Attack
A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.
Script was shamelessly borrowed from Matt Graeber, @mattifestation and his research titled:
All credits go to Matt - this directory contains a copy of his code (a little tweaked by me) for preserverance purposes.
Effectiveness
As of 13/07/2022 this dumb trick still gets off the shelf malware evade detection of at least 8 modern security scanners.
What | Result |
---|---|
Mythic Apollo.exe before fake-signing | 30/70 |
Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | 22/70 |
Usage
PS C:\> . .\Sign-Artifact.ps1
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose