Veil Evasion + Code Signing = ???

On a recent assessment, it was brought to my attention that in order for most binaries to run, they had to be code signed. I knew what code signing was at a conceptual level, however, how the heck was I actually going to sign my generated payload?!

Per the usual, there are probably things I could do better/differently. This was all made up on the spot during an assessment.


The Situation

As mentioned in the brief abstract at the top, I was recently on an assessment where binaries on the system had to have a digital signature in order to execute--not to mention we had to bypass A/V. Pretty crazy setup, however, thinking outside the box is what we're supposed to do, right? Luckily for us, the organization was not requiring verified code signatures, rather, any would suffice.

So, what needed to be done?

  • Generate malicious payload not detected by corporate A/V
  • Sign the payload

Two simple things. Getting there, however, was a challenge.

Generating the Payload

Generating meterpreter payloads with msfvenom is quite easy; a simple Google search yields thousands of results. A personal favorite evasion tool is Veil-Evasion, AKA Veil-Framework. Their description is quite fitting:

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.

Link to the framework: https://github.com/Veil-Framework/Veil

Veil is quite easy to use. Due to things out of my control, I cannot specify which payloads within Veil I leveraged to bypass this organization's A/V solution, however, you could probably figure it out yourself.

In my lab, I had a basic A/V solution to test against--you should too. In this case, the generated payload was not detected:

*Sadly, still undetected.. :/ The "Total threats removed" was the standard meterpreter payload and me forgetting to turn off realtime. D:

Sign the Payload

Mini victory; our payload is undetected. As stated, however, it will simply be denied running unless it has some sort of digital signing attached to the payload. Again, it CAN be self signed. How are we supposed to get there and what exactly is signing?

In my endeavors, and as someone not entirely knowing what I was doing, I leveraged powershell and the signtool from the WindowsSDK. If you don't have the Windows SDK, I recommend you download it:

https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

*Note, this is the Windows 10 SDK

So, before we continue, what exactly is signing?

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. 1

Think of this as the SSL/PGP of code (the verification/trust side of it). It is a certificate-based process. In fact, you can buy a cert for your code similarly to how you do for your website. Heck, you can even get certs to validate your Office Macros/VBA scripts (I don't see why that would not be useful ;) ):

https://www.websecurity.symantec.com/code-signing

Generate the Cert

Leveraging powershell, we are going to generate a self-signed code signing cert. This will be stored in our personal cert storage in Windows. The first part of code to run is: 2

$cert = New-SelfSignedCertificate -DnsName some.domain.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My

Once you've generated the cert, you can see it by running certmgr.msc and viewing the Personal Certificates node on the left. Upon clicking it, you should now see the code signing cert:

Sign your EXE

Last but not least, we can now sign our EXE. While you CAN sign with powershell, I did not know much more about how to do that--I'm honest--and I was on the spot during the assessment. This is where the Windows SDK signtool 3 came in.

The signtool will automatically pull the cert from our personal certificate node that we just generated. What are we waiting for? Sign the thing!

signtool.exe sign /a "C:\Users\xxxxx\Desktop\meepmeep2.exe"  

Inspect the Changes

Assuming all went well, you should be able to observe that a certificate has now been added to your EXE. Here is a before and after screenshot. Notice that the after side on the right now has a 'Digital Signatures' section, and we now see our signature!

Meepmeep is ready for prime time!

Update/Improvement

Not too long after I published this, I saw a tweet come across that mentioned signing binaries. Rather than you generating and signing manually, this script will rip/clone the signature from one PE file to another. This can be EXTREMELY useful, especially if you are in a tight spot of don't want to do it the hard way.

Go check out SigThief (https://github.com/secretsquirrel/SigThief) on Github!


I hope this was not too bad to read/go through. I'm curious to know if someone else ran into a similar situation. Thank you for stopping by and reading!

Cheers,
P.

References:

Join EFF!