T1198: SIP & Trust Provider Hijacking

In this lab, I will try to sign a simple "rogue" powershell script test-forged.ps1 that only has one line of code, with Microsoft's certificate and bypass any whitelisting protections/policies the script may be subject to if it is not signed.

Execution

The script that I will try to sign:

Just before I start, let's make sure that the script is not signed by using a Get-AuthenticodeSignature cmdlet and sigcheck by SysInternals:

In order to sign the script with Microsoft's certificate, we need to first find a native Microsoft Signed PowerShell script. I used powershell for this:

I chose one script at random and simply checked if it was signed - luckily it was:

Let's copy the Microsoft signature block to my script:

Now let's modify registry at:

From:

To:

Now, let's launch a new powershell instance (for the registry changes to take effect) and check the signature of the forged script - note how it now shows as signed, verified and valid:

Observations

Monitoring the following registry keys/values helps discover this suspicious activity:

References

For all the registry keys/values that should be used as a baseline, please refer to the original research whitepaper by Matt Graeber: SpecterOps Subverting Trust inWindows

Subvert Trust Controls: SIP and Trust Provider Hijacking, Sub-technique T1553.003 - Enterprise | MITRE ATT&CK®attack.mitre.org

Hijacking Digital SignaturesPenetration Testing Lab

Walkthrough: Request a Digital Certificate from Certificate Server or create a testing Digital Certificate to sign a PackageMicrosoftLearn

Signing PowerShell Scriptsshanselman

GitHub - netbiosX/Digital-Signature-Hijack: Binaries, PowerShell scripts and information about Digital Signature Hijacking.GitHub