Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
SIP & Trust Provider Hijacking
Defense Evasion, Persistence, Whitelisting Bypass
In this lab, I will try to sign a simple "rogue" powershell script test-forged.ps1 that only has one line of code, with Microsoft's certificate and bypass any whitelisting protections/policies the script may be subject to if it is not signed.

Execution

The script that I will try to sign:
Just before I start, let's make sure that the script is not signed by using a Get-AuthenticodeSignature cmdlet and sigcheck by SysInternals:
In order to sign the script with Microsoft's certificate, we need to first find a native Microsoft Signed PowerShell script. I used powershell for this:
1
Get-ChildItem -Path C:\*.ps* -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "# SIG # Begin signature block"
Copied!
I chose one script at random and simply checked if it was signed - luckily it was:
1
type C:\Windows\WinSxS\x86_microsoft-windows-m..ell-cmdlets-modules_31bf3856ad364e35_10.0.16299.15_none_c7c20f51cd336675\Wdac.psd1
Copied!
Let's copy the Microsoft signature block to my script:
Now let's modify registry at:
1
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
Copied!
From:
To:
DLL
1
C:\Windows\System32\ntdll.dll
Copied!
FuncName
1
DbgUIContinue
Copied!
Now, let's launch a new powershell instance (for the registry changes to take effect) and check the signature of the forged script - note how it now shows as signed, verified and valid:

Observations

Monitoring the following registry keys/values helps discover this suspicious activity:

References

For all the registry keys/values that should be used as a baseline, please refer to the original research whitepaper by Matt Graeber: SpecterOps Subverting Trust inWindows​
Subvert Trust Controls: SIP and Trust Provider Hijacking, Sub-technique T1553.003 - Enterprise | MITRE ATT&CK®
Hijacking Digital Signatures
Penetration Testing Lab
Unable to renew certificate via internal Microsoft certificate authority
Walkthrough: Request a Digital Certificate from Certificate Server or create a testing Digital Certificate to sign a Package
docsmsft
Signing PowerShell Scripts
shanselman
GitHub - netbiosX/Digital-Signature-Hijack: Binaries, PowerShell scripts and information about Digital Signature Hijacking.
GitHub
Previous
COM Hijacking
Next
Hijacking Time Providers
Last modified 2yr ago
Copy link
Contents
Execution
Observations
References