The purpose of digital certificates (Signing Certificates) is to verify that the file is from a trusted source, that the file has not been tampered with before receiving, and to ensure that the origin of the file can be authenticated. The digital certificate generates a hash of the code and encrypts it with a private key with its signature. During execution, the signature is verified, and if the hash matches, the code has not been modified. A user or security tool can trust signed code over unsigned code even if they don’t know who issued the certificate or who the author is. 
Authenticode technology is a form of code signing implemented by Microsoft. The authentication code (Authenticode) is not the only way to sign the driver (driver). The Windows Hardware Certification Suite has checklists for different types of devices. If the device type has an experimental catalog, the publisher can use the WHQL release signature for the driver package. The WHQL release signature includes the signed catalog file. If a test program is not available, the publisher can sign the driver with Authenticode.
There are two ways you can use to check or verify the certificate.
2 ways to check digital certificates
First way
First is the command Get-AuthenticodeSignature on PowerShell. It simply retrieves the auth code signature. I will use VS Code as an example.
PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"
Directory: C:\Users\User\AppData\Local\Programs\Microsoft VS Code
SignerCertificate Status Path
----------------- ------ ----
8740DF4ACB749640AD318E4BE842F72EC651AD80 Valid Code.exe
You can pipe the output to Format-List.
PowerShell Quick Tip:
There is a lot of information, but you only need to care about the SignerCertificate and Status properties. You can add the -Property parameter after the Format-List and specify which properties you want.
PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" | Format-List
SignerCertificate : [Subject]
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Serial Number]
33000002528B33AAF895F339DB000000000252
[Not Before]
9/2/2021 11:32:59 AM
[Not After]
9/1/2022 11:32:59 AM
[Thumbprint]
8740DF4ACB749640AD318E4BE842F72EC651AD80
TimeStamperCertificate : [Subject]
CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:D082-4BFD-EEBA, OU=Microsoft Ireland
Operations Limited, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Serial Number]
330000018FF351A8EB5A72DDCC00010000018F
[Not Before]
10/28/2021 12:27:46 PM
[Not After]
1/26/2023 11:27:46 AM
[Thumbprint]
3E4D2F820476E748070746A02695D1605B419A6A
Status : Valid
StatusMessage : Signature verified.
Path : C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
SignatureType : Authenticode
IsOSBinary : False
PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" | Format-List -Property Status, SignerCertificate
Status : Valid
SignerCertificate : [Subject]
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Serial Number]
33000002528B33AAF895F339DB000000000252
[Not Before]
9/2/2021 11:32:59 AM
[Not After]
9/1/2022 11:32:59 AM
[Thumbprint]
8740DF4ACB749640AD318E4BE842F72EC651AD80
If you prefer GUI, then you can go to file properties and see the certificate there.
The second way
The second tool is SignTool from the Windows SDK. Unlike Get-AuthenticodeSignature, SignTool can verify a file’s certificate by checking the Windows driver policy (default) or Default Authentication Policy. SignTool requires the Windows SDK, so you need to install that SDK first.
https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/
Options /pa use the Default Authentication Policy. If it is not used, SignTool will default to using the Windows driver policy for verification, but an error may occur if the signature uses a digital certificate, like the file below.
Do not have /pa
PS C:\Users\User > & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"
File: C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of errors: 1
Have /pa
PS C:\Users\User > & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" File: C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe Index Algorithm Timestamp ======================================== 0 sha256 RFC3161 Successfully verified: C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
Copy digital certificates from one app to another
Using SigThief
The tool itself is very simple. Get the signature from one file and add it to another file. There are other options like extracting the signature and saving it for later use, the same signature can be applied to multiple files.
In this example, I will show you how to get the certificate from VS Code and copy it to Mimikatz. The original Mimikatz has not been digitally signed, so in order for it to be undetectable, you should implant the certificate.
PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\Downloads\mimikatz_trunk\x64\mimikatz.exe"
Directory: C:\Users\User\Downloads\mimikatz_trunk\x64
SignerCertificate Status Path
----------------- ------ ----
NotSigned mimikatz.exe
PS C:\Tools\SigThief > python .\sigthief.py -i "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe" -t "C:\Users\User\Downloads\mimikatz_trunk\x64\mimikatz.exe" -o mimicode.exe !! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel Output file: mimicode.exe Signature appended. FIN. PS C:\Tools\SigThief > .\mimicode.exe ...#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 ..## ^ ##. "A La Vie, A L'Amour" - (oe.eo) .## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # exit Bye!
PS C:\Tools\SigThief > Get-AuthenticodeSignature .\mimicode.exe
Directory: C:\Tools\SigThief
SignerCertificate Status Path
----------------- ------ ----
8740DF4ACB749640AD318E4BE842F72EC651AD80 HashMismatch mimicode.exe
The code.exe certificate was copied to mimikatz.exe and a new binary was created.
This file can now be uploaded to VT, or tested with AV on your own system… The goal is to see if AV can scan the malicious executable when it has a signature from a trusted party. Are not.
But just because it’s signed from a trusted party doesn’t mean the executable is legit. Similar to HTTPS, just because your connection is private doesn’t mean the site you’re visiting is secure.
With mimicode.exe now having a VS Code certificate, it seems legit. Look at the SignerCertificate of micecode.exe vs code.exe
PS C:\Users\User > Get-AuthenticodeSignature "C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe"
Directory: C:\Users\User\AppData\Local\Programs\Microsoft VS Code
SignerCertificate Status Path
----------------- ------ ----
8740DF4ACB749640AD318E4BE842F72EC651AD80 Valid Code.exe
I say it seems for many reasons. As I mentioned before, the tool itself does not add a valid signature to the file. It is clearly stated in the Digital Signature Details.
The digital certificate hash matches the code.exe hash, but that’s just getting a key from a value. When using SigThief, you may find it gives you an error.
PS C:\Users\User > & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa "C:\Tools\SigThief\mimicode.exe"
File: C:\Tools\SigThief\mimicode.exe
Index Algorithm Timestamp
========================================
SignTool Error: WinVerifyTrust returned error: 0x80096010
The digital signature of the object did not verify.
Number of errors: 1
Unlike successful verification from code.exe, this error refers to WinVerifyTrust. This is a function in CryptoAPI that performs a trust verification action on a specified object. This is why SignTool is important because it is performing an action, not just getting a value. The data is passed to a trusted provider to check that it is based on the certificate trust list. The file’s hash does not match the hash stored in the digital signature. This is essentially what the verification command is doing in SignTool.
In the image above, you can also notice the file icon is the same as Mimikatz.
The file properties also show a lot of clues:
- File description
- Product name
- Original filename
PS C:\Tools > Get-Item C:\Tools\SigThief\mimicode.exe | select-object -property *
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Tools\SigThief\mimicode.exe
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Tools\SigThief
PSChildName : mimicode.exe
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
Mode : -a----
VersionInfo : File: C:\Tools\SigThief\mimicode.exe
InternalName: mimikatz
OriginalFilename: mimikatz.exe
FileVersion: 2.2.0.0
FileDescription: mimikatz for Windows
Product: mimikatz
ProductVersion: 2.2.0.0
Debug: False
Patched: False
PreRelease: True
PrivateBuild: True
SpecialBuild: True
Language: English (United States)
BaseName : mimicode
Target : {}
LinkType :
Name : mimicode.exe
Length : 1365416
DirectoryName : C:\Tools\SigThief
Directory : C:\Tools\SigThief
IsReadOnly : False
Exists : True
FullName : C:\Tools\SigThief\mimicode.exe
Extension : .exe
CreationTime : 2/13/2023 10:18:09 AM
CreationTimeUtc : 2/13/2023 6:18:09 PM
LastAccessTime : 2/13/2023 6:38:31 PM
LastAccessTimeUtc : 2/14/2023 2:38:31 AM
LastWriteTime : 2/13/2023 10:18:09 AM
LastWriteTimeUtc : 2/13/2023 6:18:09 PM
Attributes : Archive
Attacks using this technique
MITER Technique
T1588.003 – Obtain Capabilities: Code Signing Certificates
I’ve covered a lot of ways to check if a signature is valid and easily figure out that the “trusted” executable being run is actually malicious, but that doesn’t mean that This technique is easy to avoid. Stolen certificates are collected from trusted parties and then sometimes sold on the Dark Web through e-commerce sites. But can also be the result of improper certificate storage.
LAPSUS$
In March 2022, LAPSUS$ used a stolen Nvidia code signing certificate to sign malware and allow malicious driver downloads in Windows. These certificates have expired, but Windows still allows them to be used for driver signing purposes. Some of the malware used in this operation includes CS beacons, Mimikatz, backdoors, and RATs. All are legally signed.
The mitigation here is to configure Windows Defender Application Control policies to control which drivers can be loaded.
Palmerworm
Palmerworm (BlackTech) is a group of spies that used stolen code signing certificates to sign their payloads.
In another campaign, BlackTech used the Plead backdoor signed with a valid D-Link Corporation code signing certificate. This certificate was used to sign non-malicious D-Link software. Other models use an expired certificate from a Taiwanese company called Changing Information Technology Inc. This company was initially compromised first to get the certificate.
MegaCortex
MegaCortex ransomware has been very busy in 2019 with four versions developed between January and November. They use code signing certificates issued to rogue companies.
- MegaCortex v1: “3AN LIMITED”
- MegaCortex v2: “ABADAN PIZZA LTD”
- MegaCortex v3: “LYUKS ELIT, LTD” and “FELIX MEDIA PTY LTD”
- MegaCortex v4: “MURSA PTY LTD
Ryuk
TheDFIRReport wrote about a campaign by Ryuk in November 2020, in which Ryuk would send a phishing email containing a Google Drive link to download the Bazar Loader backdoor. The loader used a code signing certificate signed by Digicert of NOSOV SP ZOO organization.
OutSteel
An email subject that reads “Report a crime”. When the victim clicks on the icons, it runs malicious JavaScript commands embedded in the document. The executable downloaded by JavaScript is a Trojan, which its developers signed with the certificate “Electrum Technologies GmbH”. This organization is related to the Electrum Bitcoin wallet. Most threat actors hack into a company and steal certificates and sometimes resell certificates on underground websites. In 2018, TrendMicro reported that fraudulent EV (Extended Validation) certificates were being offered for sale on forums. Fake certificates are also provided by legitimate CAs that mimic a legitimate organization. One example is a Russian financial broker who became the target of cybercriminals using fraudulent certificates for the Razy ransomware. So what about OSINT? Bill Demirkapi mentioned a great open source technique in his BH/DC talk. He used GrayhatWarfare to search for publicly leaked certificates from S3 buckets by filtering for PFX and P12 extensions and found over 6,000 results.
Conclude
Misuse of digital certificates is not new. Only in the last few years has it proven to be an effective method for bypassing certain security controls to allow malware to run and look safe. SigThief is a great testing tool. It is imperative to secure private keys in the HSM to hide and protect cryptographic documents because they require physical access to obtain the key. Validate certificates before using them for code signing and check if the code you’re signing contains vulnerabilities or malware. Finally, implement the certificate lifecycle management process. This is a lengthy process but guarantees missing, expired, compromised or unused certificates will be revoked, renewed or replaced.
