• Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office
AnonyViet - English Version
  • Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office
No Result
View All Result
  • Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office
No Result
View All Result
AnonyViet - English Version
No Result
View All Result
Home Security

How to Copy Digital Certificates from One App to Another

AnonyViet by AnonyViet
March 10, 2023
in Security
0
0
SHARES
Share on FacebookShare on Twitter

The purpose of digital certificates (Signing Certificates) is to verify that the file is from a trusted source, that the file has not been tampered with before receiving, and to ensure that the origin of the file can be authenticated. The digital certificate generates a hash of the code and encrypts it with a private key with its signature. During execution, the signature is verified, and if the hash matches, the code has not been modified. A user or security tool can trust signed code over unsigned code even if they don’t know who issued the certificate or who the author is. How to Copy Digital Certificates from One App to Another

So what is an authentic digital signature or digital certificate? Simply put, it’s a way to identify a software publisher. The software publisher signs the driver or driver package, tagging it with a digital certificate to verify the publisher’s identity. With embedded signatures, the digital signature is embedded in the non-executable portion of the driver file. This means that signing the authentication token does not change the driver’s implementation.
Authenticode technology is a form of code signing implemented by Microsoft. The authentication code (Authenticode) is not the only way to sign the driver (driver). The Windows Hardware Certification Suite has checklists for different types of devices. If the device type has an experimental catalog, the publisher can use the WHQL release signature for the driver package. The WHQL release signature includes the signed catalog file. If a test program is not available, the publisher can sign the driver with Authenticode.
There are two ways you can use to check or verify the certificate.

2 ways to check digital certificates

First way

First is the command Get-AuthenticodeSignature on PowerShell. It simply retrieves the auth code signature. I will use VS Code as an example.

PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"

    Directory: C:\Users\User\AppData\Local\Programs\Microsoft VS Code

SignerCertificate                         Status                                Path
-----------------                         ------                                ----
8740DF4ACB749640AD318E4BE842F72EC651AD80  Valid                                 Code.exe

You can pipe the output to Format-List.
PowerShell Quick Tip:
There is a lot of information, but you only need to care about the SignerCertificate and Status properties. You can add the -Property parameter after the Format-List and specify which properties you want.

PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" | Format-List

SignerCertificate      : [Subject]
                           CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           33000002528B33AAF895F339DB000000000252

                         [Not Before]
                           9/2/2021 11:32:59 AM

                         [Not After]
                           9/1/2022 11:32:59 AM

                         [Thumbprint]
                           8740DF4ACB749640AD318E4BE842F72EC651AD80

TimeStamperCertificate : [Subject]
                           CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:D082-4BFD-EEBA, OU=Microsoft Ireland
                         Operations Limited, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           330000018FF351A8EB5A72DDCC00010000018F

                         [Not Before]
                           10/28/2021 12:27:46 PM

                         [Not After]
                           1/26/2023 11:27:46 AM

                         [Thumbprint]
                           3E4D2F820476E748070746A02695D1605B419A6A

Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
SignatureType          : Authenticode
IsOSBinary             : False
PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" | Format-List -Property Status, SignerCertificate

Status            : Valid
SignerCertificate : [Subject]
                      CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                    [Issuer]
                      CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                    [Serial Number]
                      33000002528B33AAF895F339DB000000000252

                    [Not Before]
                      9/2/2021 11:32:59 AM

                    [Not After]
                      9/1/2022 11:32:59 AM

                    [Thumbprint]
                      8740DF4ACB749640AD318E4BE842F72EC651AD80

If you prefer GUI, then you can go to file properties and see the certificate there.
How to Copy Digital Certificates from One App to Another 6

The second way

The second tool is SignTool from the Windows SDK. Unlike Get-AuthenticodeSignature, SignTool can verify a file’s certificate by checking the Windows driver policy (default) or Default Authentication Policy. SignTool requires the Windows SDK, so you need to install that SDK first.
https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/

Options /pa use the Default Authentication Policy. If it is not used, SignTool will default to using the Windows driver policy for verification, but an error may occur if the signature uses a digital certificate, like the file below.

Do not have /pa

PS C:\Users\User > & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"
File: C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of errors: 1

Have /pa

PS C:\Users\User > & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"
File: C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe

Copy digital certificates from one app to another

SigThief is a tool to copy a certificate and apply it to another file (.exe, .cab, .dll, .ocx, .msi, .xpi and .xap files) and kernel-mode software. For example, you can apply a Microsoft certificate to Mimikatz. The tool itself doesn’t add a valid signature to a file, and I’ll talk about it more later, but its purpose is to test AV software to see how they prioritize CAs and whether they’re checking. Check the validity of the signature.

Using SigThief

The tool itself is very simple. Get the signature from one file and add it to another file. There are other options like extracting the signature and saving it for later use, the same signature can be applied to multiple files.

In this example, I will show you how to get the certificate from VS Code and copy it to Mimikatz. The original Mimikatz has not been digitally signed, so in order for it to be undetectable, you should implant the certificate.

PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\Downloads\mimikatz_trunk\x64\mimikatz.exe"

    Directory: C:\Users\User\Downloads\mimikatz_trunk\x64

SignerCertificate                         Status                            Path
-----------------                         ------                            ----
                                          NotSigned                         mimikatz.exe
PS C:\Tools\SigThief > python .\sigthief.py -i "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" -t "C:\Users\User\Downloads\mimikatz_trunk\x64\mimikatz.exe" -o mimicode.exe

!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel

Output file: mimicode.exe
Signature appended.
FIN.

PS C:\Tools\SigThief > .\mimicode.exe                                                                                                                                                                                                               ...#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08                                                             ..## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                                                                               .## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # exit
Bye!
PS C:\Tools\SigThief > Get-AuthenticodeSignature .\mimicode.exe

    Directory: C:\Tools\SigThief

SignerCertificate                         Status                            Path
-----------------                         ------                            ----
8740DF4ACB749640AD318E4BE842F72EC651AD80  HashMismatch                      mimicode.exe

The code.exe certificate was copied to mimikatz.exe and a new binary was created.
This file can now be uploaded to VT, or tested with AV on your own system… The goal is to see if AV can scan the malicious executable when it has a signature from a trusted party. Are not.

But just because it’s signed from a trusted party doesn’t mean the executable is legit. Similar to HTTPS, just because your connection is private doesn’t mean the site you’re visiting is secure.

How to Copy Digital Certificate from one App to another 7

With mimicode.exe now having a VS Code certificate, it seems legit. Look at the SignerCertificate of micecode.exe vs code.exe

PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"

    Directory: C:\Users\User\AppData\Local\Programs\Microsoft VS Code

SignerCertificate                         Status                                Path
-----------------                         ------                                ----
8740DF4ACB749640AD318E4BE842F72EC651AD80  Valid                                 Code.exe

I say it seems for many reasons. As I mentioned before, the tool itself does not add a valid signature to the file. It is clearly stated in the Digital Signature Details.

How to Copy Digital Certificates from One App to Another 8

The digital certificate hash matches the code.exe hash, but that’s just getting a key from a value. When using SigThief, you may find it gives you an error.

PS C:\Users\User > & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa "C:\Tools\SigThief\mimicode.exe"
File: C:\Tools\SigThief\mimicode.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: WinVerifyTrust returned error: 0x80096010
        The digital signature of the object did not verify.

Number of errors: 1

Unlike successful verification from code.exe, this error refers to WinVerifyTrust. This is a function in CryptoAPI that performs a trust verification action on a specified object. This is why SignTool is important because it is performing an action, not just getting a value. The data is passed to a trusted provider to check that it is based on the certificate trust list. The file’s hash does not match the hash stored in the digital signature. This is essentially what the verification command is doing in SignTool.

In the image above, you can also notice the file icon is the same as Mimikatz.

The file properties also show a lot of clues:

  • File description
  • Product name
  • Original filename

How to Copy Digital Certificate from One App to Another 9

PS C:\Tools > Get-Item C:\Tools\SigThief\mimicode.exe | select-object -property *

PSPath            : Microsoft.PowerShell.Core\FileSystem::C:\Tools\SigThief\mimicode.exe
PSParentPath      : Microsoft.PowerShell.Core\FileSystem::C:\Tools\SigThief
PSChildName       : mimicode.exe
PSDrive           : C
PSProvider        : Microsoft.PowerShell.Core\FileSystem
PSIsContainer     : False
Mode              : -a----
VersionInfo       : File:             C:\Tools\SigThief\mimicode.exe
                    InternalName:     mimikatz
                    OriginalFilename: mimikatz.exe
                    FileVersion:      2.2.0.0
                    FileDescription:  mimikatz for Windows
                    Product:          mimikatz
                    ProductVersion:   2.2.0.0
                    Debug:            False
                    Patched:          False
                    PreRelease:       True
                    PrivateBuild:     True
                    SpecialBuild:     True
                    Language:         English (United States)

BaseName          : mimicode
Target            : {}
LinkType          :
Name              : mimicode.exe
Length            : 1365416
DirectoryName     : C:\Tools\SigThief
Directory         : C:\Tools\SigThief
IsReadOnly        : False
Exists            : True
FullName          : C:\Tools\SigThief\mimicode.exe
Extension         : .exe
CreationTime      : 2/13/2023 10:18:09 AM
CreationTimeUtc   : 2/13/2023 6:18:09 PM
LastAccessTime    : 2/13/2023 6:38:31 PM
LastAccessTimeUtc : 2/14/2023 2:38:31 AM
LastWriteTime     : 2/13/2023 10:18:09 AM
LastWriteTimeUtc  : 2/13/2023 6:18:09 PM
Attributes        : Archive

Attacks using this technique

MITER Technique

T1588.003 – Obtain Capabilities: Code Signing Certificates
I’ve covered a lot of ways to check if a signature is valid and easily figure out that the “trusted” executable being run is actually malicious, but that doesn’t mean that This technique is easy to avoid. Stolen certificates are collected from trusted parties and then sometimes sold on the Dark Web through e-commerce sites. But can also be the result of improper certificate storage.

LAPSUS$

In March 2022, LAPSUS$ used a stolen Nvidia code signing certificate to sign malware and allow malicious driver downloads in Windows. These certificates have expired, but Windows still allows them to be used for driver signing purposes. Some of the malware used in this operation includes CS beacons, Mimikatz, backdoors, and RATs. All are legally signed.
The mitigation here is to configure Windows Defender Application Control policies to control which drivers can be loaded.

Palmerworm

Palmerworm (BlackTech) is a group of spies that used stolen code signing certificates to sign their payloads.
In another campaign, BlackTech used the Plead backdoor signed with a valid D-Link Corporation code signing certificate. This certificate was used to sign non-malicious D-Link software. Other models use an expired certificate from a Taiwanese company called Changing Information Technology Inc. This company was initially compromised first to get the certificate.

MegaCortex

MegaCortex ransomware has been very busy in 2019 with four versions developed between January and November. They use code signing certificates issued to rogue companies.

  • MegaCortex v1: “3AN LIMITED”
  • MegaCortex v2: “ABADAN PIZZA LTD”
  • MegaCortex v3: “LYUKS ELIT, LTD” and “FELIX MEDIA PTY LTD”
  • MegaCortex v4: “MURSA PTY LTD

Ryuk

TheDFIRReport wrote about a campaign by Ryuk in November 2020, in which Ryuk would send a phishing email containing a Google Drive link to download the Bazar Loader backdoor. The loader used a code signing certificate signed by Digicert of NOSOV SP ZOO organization.

OutSteel

An email subject that reads “Report a crime”. When the victim clicks on the icons, it runs malicious JavaScript commands embedded in the document. The executable downloaded by JavaScript is a Trojan, which its developers signed with the certificate “Electrum Technologies GmbH”. This organization is related to the Electrum Bitcoin wallet. Most threat actors hack into a company and steal certificates and sometimes resell certificates on underground websites. In 2018, TrendMicro reported that fraudulent EV (Extended Validation) certificates were being offered for sale on forums. Fake certificates are also provided by legitimate CAs that mimic a legitimate organization. One example is a Russian financial broker who became the target of cybercriminals using fraudulent certificates for the Razy ransomware. So what about OSINT? Bill Demirkapi mentioned a great open source technique in his BH/DC talk. He used GrayhatWarfare to search for publicly leaked certificates from S3 buckets by filtering for PFX and P12 extensions and found over 6,000 results.

Conclude

Misuse of digital certificates is not new. Only in the last few years has it proven to be an effective method for bypassing certain security controls to allow malware to run and look safe. SigThief is a great testing tool. It is imperative to secure private keys in the HSM to hide and protect cryptographic documents because they require physical access to obtain the key. Validate certificates before using them for code signing and check if the code you’re signing contains vulnerabilities or malware. Finally, implement the certificate lifecycle management process. This is a lengthy process but guarantees missing, expired, compromised or unused certificates will be revoked, renewed or replaced.

Tags: AppCertificatescopydigital
Previous Post

FULL HOW TO REPORT / RIP FACEBOOK 2015

Next Post

Transfer Fanpage to personal Facebook page

AnonyViet

AnonyViet

Related Posts

Kali Linux 203.1 celebrates its 10th anniversary with a very hot Toolkit
Security

Kali Linux 203.1 celebrates its 10th anniversary with a very hot Toolkit

March 14, 2023
Code phá hủy MBR ổ cứng – Tấn công và phòng chống
Security

Code phá hủy MBR ổ cứng – Tấn công và phòng chống

February 19, 2023
How to scan for XSS vulnerabilities automatically with Dalfox
Security

How to scan for XSS vulnerabilities automatically with Dalfox

February 15, 2023
Break the computer with cmd, .bat . file
Security

Break the computer with cmd, .bat . file

February 2, 2023
[DEFACE] How To Deface with Formcraft
Security

[DEFACE] How To Deface with Formcraft

February 2, 2023
[DEFACE] How To Deface with WordPress Reflex Gallery
Security

[DEFACE] How To Deface with WordPress Reflex Gallery

February 2, 2023
Next Post
Transfer Fanpage to personal Facebook page

Transfer Fanpage to personal Facebook page

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent News

[Facebook] Latest TUT Rip

[Facebook] Latest TUT Rip

March 26, 2023
How to unlock the hidden FM Radio feature on your phone

How to unlock the hidden FM Radio feature on your phone

March 26, 2023
[Facebook] Summary of Facebook report spells

[Facebook] Summary of Facebook report spells

March 25, 2023
Tổng hợp các nhóm Hacker APT trên thế giới

Tổng hợp các nhóm Hacker APT trên thế giới

March 25, 2023
[Facebook] Latest TUT Rip

[Facebook] Latest TUT Rip

March 26, 2023
How to unlock the hidden FM Radio feature on your phone

How to unlock the hidden FM Radio feature on your phone

March 26, 2023
[Facebook] Summary of Facebook report spells

[Facebook] Summary of Facebook report spells

March 25, 2023
AnonyViet – English Version

AnonyViet

AnonyViet is a website share knowledge that you have never learned in school!

We are ready to welcome your comments, as well as your articles sent to AnonyViet.

Follow Us

Contact:

Email: anonyviet.com[@]gmail.com

Main Website: https://anonyviet.com

Recent News

[Facebook] Latest TUT Rip

[Facebook] Latest TUT Rip

March 26, 2023
How to unlock the hidden FM Radio feature on your phone

How to unlock the hidden FM Radio feature on your phone

March 26, 2023
No Result
View All Result
  • Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office

© 2023 JNews - Premium WordPress news & magazine theme by Jegtheme.