Hijacking digital signatures is a technique which can be used in order to bypass Device Guard restrictions and during red team assessments to hide custom malware. Matt Graeber in his research discovered how to bypass digital signature hash validation and he described everything in detail in the paper that he released. Based on this information the Digital SignatureHijack script was developed to fully automate this technique. Further information regarding hijacking digital signatures have been described in a previous article.
DigitalSignatureHijack is based on PowerShell and can be executed from a PowerShell console with administrative privileges. The idea is to digitally sign PowerShell scripts and portable executables fast by executing only four commands in total.
The script accepts the following commands:
- SignExe – Digitally Sign Portable Executables
- SignPS – Digitally Sign PowerShell Scripts
- ValidateSignaturePE – Signature validation of Portable Executables
- ValidateSignaturePS – Signature validation of PowerShell Scripts
DigitalSignature-Hijack relies on the custom SIP (Subject Interface Package) dll file that was developed by Matt Graeber. Therefore it is needed to be stored somewhere on the target system and the script needs to be updated with the new location of this DLL file as otherwise the registry hijack will not work.
The following is the list of commands which can be used to digitally sign all PowerShell scripts and portable executables that exist on the host.
Import-Module .\DigitalSignature-Hijack.ps1 SignExe SignPS ValidateSignaturePE ValidateSignaturePS
Mimikatz is a known binary that can dump credentials from memory. It is not part of Windows and is not digitally signed by Microsoft.
The command SignExe will give Mimikatz a Microsoft certificate.
Hijacking a legitimate certificate will produce a hash mismatch error and therefore the digital signature will fail to validate.
Executing the ValidateSignaturePE command will properly validate the digital signature hash for all portable executables that are stored on the system.
Signing PowerShell Scripts:
The DigitalSignature-Hijack PowerShell script is not signed. Therefore in a scenario where device guard UMCI (User Mode Code Integrity) is implemented it is needed to be signed.
Executing the command SignPS will give a Microsoft certificate to the PowerShell script.
As with portable executables Microsoft is also performing hash validation for digital signatures of PowerShell scripts.
Executing the command ValidateSignaturePS will bypass the hash validation and as a result the digital signature will appear as valid.
The DigitalSignatureHijack script can be found in the locations below: