SIP & Trust Provider Hijacking
Defense Evasion, Persistence, Whitelisting Bypass
In this lab, I will try to sign a simple "rogue" powershell script test-forged.ps1
that only has one line of code, with Microsoft's certificate and bypass any whitelisting protections/policies the script may be subject to if it is not signed.
Execution
The script that I will try to sign:
Just before I start, let's make sure that the script is not signed by using a Get-AuthenticodeSignature
cmdlet and sigcheck
by SysInternals:
In order to sign the script with Microsoft's certificate, we need to first find a native Microsoft Signed PowerShell script. I used powershell for this:
I chose one script at random and simply checked if it was signed - luckily it was:
Let's copy the Microsoft signature block to my script:
Now let's modify registry at:
From:
To:
Now, let's launch a new powershell instance (for the registry changes to take effect) and check the signature of the forged script - note how it now shows as signed, verified and valid:
Observations
Monitoring the following registry keys/values helps discover this suspicious activity:
References
For all the registry keys/values that should be used as a baseline, please refer to the original research whitepaper by Matt Graeber: SpecterOps Subverting Trust inWindows
Last updated