Awesome-Mirrors/my-infosec-awesome
1
0
Fork 0
mirror of https://github.com/pe3zx/my-infosec-awesome.git synced 2024-12-11 17:14:21 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add rouge code signing with TLDR version

Browse Source
This commit is contained in:
pe3zx 2018-01-02 22:15:46 +07:00
parent 0a1789f2c7
commit e432f4f51a
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -59,6 +59,8 @@ My curated list of awesome links, resources and tools
- [Beyond good ol' Run key Series](http://www.hexacorn.com/blog/?s=Beyond+good+ol%E2%80%99+Run+key%2C)
- Mirror copy and TLDR version of articles are available at [files/dfir/beyod-good-ol-run-key.md](files/dfir/beyond-good-ol-run-key.md)
- [Certificate Chain Cloning and Cloned Root Trust Attacks](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
- Mirror copy (TLDR version) of the article is available at [files/dfir/rouge-certificate-dfir.md](files/dfir/rouge-certificate-dfir.md)
- [Windows Privileged Access Reference](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ATLT_BM)
- Mirror copy of the table is available at [files/dfir/windows-privileged-access-reference.md](files/dfir/windows-privileged-access-reference.md)

33
files/dfir/rouge-certificate-dfir.md Normal file
View File

@ -0,0 +1,33 @@
# Rouge Ceritifcation DFIR
Original article from: [Code Signing Certificate Cloning Attacks and Defenses](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) by SpecterOps
## Attacks
- Export all certificates in legitimate certificate chain, via Certificate Wizard, to disk. [Video](https://www.youtube.com/watch?time_continue=11&v=5rjJnxl50Dg).
- Signing target binary file with `New-SelfSignedCertificate` cmdlet in PowerShell. [Video](https://www.youtube.com/watch?v=qF6h2he5B7g)
- Example of uses: [CertificateCloning.ps1](https://gist.github.com/mattifestation/b2e5c5b529e770c464f149e6020e280b#file-certificatecloning-ps1)
- Remote trusting with WMI: [RemoteCertTrust.ps1](https://gist.github.com/mattifestation/429008d961bb719d5bd5ce262557bdbf#file-remotecerttrust-ps1)
## Detection
- Use Sysmon to monitor registry activity relates to certificate installation. Example config below.
- Focus on *SetValue events where the TargetObject property ends with `<THUMBPRINT_VALUE>\Blob` as this indicates the direct installation or modification of a root certificate binary blob.*
<script src="https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b.js"></script>
- Investigate the content of certificate with powershell:
```powershell
Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | Format-List *
```
- Investigate and compare [authroot.stl](https://gist.github.com/mattifestation/c712e525109f786fbaf6ed576b8d2832) using [GetSTLCertHashes.ps1](https://gist.github.com/mattifestation/c712e525109f786fbaf6ed576b8d2832)
## Protection
- *While there may not be strong preventative mitigations for certificate installation as an admin, it is possible to prevent root certificate installation in the current user context by setting the following registry value:*
```
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots - Flags (REG_DWORD) - 1
```