Awesome-Mirrors/my-infosec-awesome

mirror of https://github.com/pe3zx/my-infosec-awesome.git synced 2024-07-06 10:22:32 +00:00

pe3zx e432f4f51a Add rouge code signing with TLDR version

2018-01-02 22:15:46 +07:00

2.0 KiB

Raw Blame History

Rouge Ceritifcation DFIR

Original article from: Code Signing Certificate Cloning Attacks and Defenses by SpecterOps

Attacks

Export all certificates in legitimate certificate chain, via Certificate Wizard, to disk. Video.
Signing target binary file with New-SelfSignedCertificate cmdlet in PowerShell. Video
- Example of uses: CertificateCloning.ps1
- Remote trusting with WMI: RemoteCertTrust.ps1

Detection

Use Sysmon to monitor registry activity relates to certificate installation. Example config below.
- Focus on SetValue events where the TargetObject property ends with <THUMBPRINT_VALUE>\Blob as this indicates the direct installation or modification of a root certificate binary blob.

Investigate the content of certificate with powershell:

Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | Format-List *

Investigate and compare authroot.stl using GetSTLCertHashes.ps1

Protection

While there may not be strong preventative mitigations for certificate installation as an admin, it is possible to prevent root certificate installation in the current user context by setting the following registry value:

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots - Flags (REG_DWORD) - 1