Code Signing

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificate used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform.

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Example

CarbonCopy a tool built by paranoidninja for spoofing Digital Signatures, signatures like these can actually bypass AV and pass undetected by analysts because they provide a level of authenticity. See 2 payloads with and without a Digital Signature.

Now will check out the digitally signed one a little more to check what it contains.

A Digital Signature not installed of course this is why we see that it cannot be verified.

We have the option to install this certificate of course with proper permissions but here I am just trying to demonstrate how this "Signature" can provide some level of authenticity since it is Signed by Microsoft, of course a solid analyst can see that this has been valid from a recent Date. So how can we build this digitally signed binary, with CarbonCopy.

Above we see a successful spoofed Signature the requirements for this is very simple the website we are trying to spoof its signature the port the target payload and an output file.

You will also need OSSLSignedCode tool to be installed.

References:

Masquerading as a Windows System Binary Using Digital SignaturesF-Secure Labs

PreviousSIP and Trust Provider Hijacking NextT1216: Signed Script Proxy Execution

Last updated 3 years ago