Hijacking digital signatures is a technique which can be used in order to bypass Device Guard restrictions and during red team assessments to hide custom malware. Matt Graeber in his research discovered how to bypass digital signature hash validation and he described everything in detail in the paper that he released. Based on this information the Digital SignatureHijack script was developed to fully automate this technique. Further information regarding hijacking digital signatures have been described in a previous article.

General Information

DigitalSignatureHijack is based on PowerShell and can be executed from a PowerShell console with administrative privileges. The idea is to digitally sign PowerShell scripts and portable executables fast by executing  only four commands in total.


The script accepts the following commands:

  • SignExe – Digitally Sign Portable Executables
  • SignPS – Digitally Sign PowerShell Scripts
  • ValidateSignaturePE – Signature validation of Portable Executables
  • ValidateSignaturePS – Signature validation of PowerShell Scripts


DigitalSignature-Hijack relies on the custom SIP (Subject Interface Package) dll file that was developed by Matt Graeber. Therefore it is needed to be stored somewhere on the target system and the script needs to be updated with the new location of this DLL file as otherwise the registry hijack will not work.


The following is the list of commands which can be used to digitally sign all PowerShell scripts and portable executables that exist on the host.

Import-Module .\DigitalSignature-Hijack.ps1

Signing Binaries:

Mimikatz is a known binary that can dump credentials from memory. It is not part of Windows and is not digitally signed by Microsoft.

Unsigned Mimikatz
Unsigned Mimikatz

The command SignExe will give Mimikatz a Microsoft certificate.

Signed Mimikatz
Signed Mimikatz

Signature Validation:

Hijacking a legitimate certificate will produce a hash mismatch error and therefore the digital signature will fail to validate.

Signed Mimikatz - Invalid Signature
Signed Mimikatz – Invalid Signature

Executing the ValidateSignaturePE command will properly validate the digital signature hash for all portable executables that are stored on the system.

Signed Mimikatz - Valid Signature
Signed Mimikatz – Valid Signature

Signing PowerShell Scripts:

The DigitalSignature-Hijack PowerShell script is not signed. Therefore in a scenario where device guard UMCI (User Mode Code Integrity) is implemented it is needed to be signed.

Unsigned PowerShell Script
Unsigned PowerShell Script

Executing the command SignPS will give a Microsoft certificate to the PowerShell script.

Signed PowerShell Script
Signed PowerShell Script

Signature Validation:

As with portable executables Microsoft is also performing hash validation for digital signatures of PowerShell scripts.

PowerShell Script - Invalid Signature
PowerShell Script – Invalid Signature

Executing the command ValidateSignaturePS will bypass the hash validation and as a result the digital signature will appear as valid.

PowerShell Script - Valid Signature
PowerShell Script – Valid Signature


The DigitalSignatureHijack script can be found in the locations below:

Source Code

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s