Sunday, January 28, 2018

How can Windows digital signature check be defeated?

Recently, it was determined by a SpecterOps researcher, Matt Graeber, that there is a way to bypass a Windows digital signature check by editing two specific registry keys. This is an important discovery because Windows uses digital signature protection to validate the authenticity of binary files as a security measure.

Digital signature protection is used by Windows and others to determine if a file was tampered with during the time in which it was sent to the receiving party. Being able to validate the integrity of a received file and that it's actually from the party that signed it is important since digital signatures work on trust -- when a system can work around this feature, it opens up doors to malicious activity.

It's also important to state that digital signatures don't secure the file, but give it a level of trust based off of the private key it was signed with; therefore, if that specific key was stolen or used maliciously, then the system would approve the digital signature check.

Many Windows security features and security products rely on the trust and guarantees that a digital signature check brings with it. In the case of the CCleaner malware last month, it spread due to having been signed by a legitimate certificate, which led to the code being trusted by the OS. In his research report, Graeber wrote, "Subverting the trust architecture of Windows, in many cases, is also likely to subvert the efficacy of security products."

The attack is focused on two registry keys that enable you to impersonate files with any other valid signature when adjusted. However, this isn't done via injection of code into the system, but with the registry key modification, meaning the attacker can do this remotely if they have access to the registry. This also means that they must be admins on the system, which isn't incredibly hard to escalate if they aren't don't have permission.

Locking down the administrator rights to limit changes to these keys and implementing monitoring to determine if they were changed would be a way of reviewing if the registry keys were modified, even though this would require the logs of all the systems. It's also possible that a group policy could be made to limit access to these files in greater detail, but these are all reactive methods to this problem.

The issue once again comes down to trust, as this is one area that's put in place to protect you from impersonation. It also happens to be the most likely thing to be used for malicious purposes, especially malware, that would bypass the internal mechanisms to slip past application whitelisting, such as Microsoft's Windows Defender Device Guard.

There needs to be more procedures around digital signature protection to protect against malicious files entering your endpoint.
There needs to be more procedures around digital signature protection to protect against malicious files entering your endpoint, such as reputation services, sandboxes and next-generation malware protection that doesn't rely on signatures.

Is a digital signature check needed? Yes, but it's a layer in the protection against malware, and abusing the trust of these signatures enables them to be bypassed. In the end, we simply need to add more layers to our defense.

My article at: http://searchsecurity.techtarget.com/answer/How-can-Windows-digital-signature-check-be-defeated
Posted by at

13 comments:

  1. James JohnJuly 20, 2018 at 3:07 AM

    Several communities possess singles groups which set about enjoyable breast implants aventura things to do mutually, and this also can be is a good choice courting approach. Situations for instance riding a bike, bowling, curling, video hours, dance in addition to humor golf equipment will be arranged from the singles group, also it enables the evenly-distributed number of people to obtain a great in addition to informal night. With focus applied the actual task per se as an alternative to building a intimate relationship, it will require a great deal of pressure off the singles and sites take place a lot more obviously around such a location. stiply.nl elektronische handtekening

    ReplyDelete
  2. UnknownJuly 24, 2018 at 3:18 AM

    Great thanks for sharing about digital signature. This post will be helpful for the readers who are searching for this type of information. Keep it up.
    Also check out :
    AWS Training in chennai | AWS Training center in velachery

    ReplyDelete
  3. John smithAugust 15, 2018 at 5:17 AM

    For Windows 8 clients the choice to move up to Windows 8.1 ought to be generally simple given the numerous focal points recorded underneath. HTTP Ultimate Guide

    ReplyDelete
  4. viswanathAugust 16, 2018 at 2:08 AM

    AWS Training in Bangalore - Live Online & Classroom
    myTectra Amazon Web Services (AWS) certification training helps you to gain real time hands on experience on AWS. myTectra offers AWS training in Bangalore using classroom and AWS Online Training globally. AWS Training at myTectra delivered by the experienced professional who has atleast 4 years of relavent AWS experince and overall 8-15 years of IT experience. myTectra Offers AWS Training since 2013 and retained the positions of Top AWS Training Company in Bangalore and India.


    IOT Training in Bangalore - Live Online & Classroom
    IOT Training course observes iot as the platform for networking of different devices on the internet and their inter related communication. Reading data through the sensors and processing it with applications sitting in the cloud and thereafter passing the processed data to generate different kind of output is the motive of the complete curricula. Students are made to understand the type of input devices and communications among the devices in a wireless media.

    ReplyDelete
  5. seoforglobeAugust 16, 2018 at 10:00 PM

    Security company Nottinghamshire can provide highly trained and local security guards in Nottinghamshire that are professional security guards in Nottinghamshire

    ReplyDelete
  6. john smithNovember 27, 2018 at 8:26 AM

    You need to make a connection with your audience, and the best way to do that is by effectively using social media promotion. check this website

    ReplyDelete
  7. yoyoserviceDecember 5, 2018 at 12:50 PM

    I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really not that good.Thanks alot!
    Mason Soiza

    ReplyDelete
  8. umaDecember 11, 2018 at 8:15 AM

    This post will be helpful for the readers who are searching for this type of information. Keep it up.



    java training in Bangalore

    spring training in Bangalore

    java training institute in Bangalore

    spring and hibernate training in Bangalore

    ReplyDelete
  9. มลิวรรณDecember 14, 2018 at 3:20 AM

    Check Digit Signature Many people pay attention. For those who want to read this must be read on this page at all.


    คาสิโนออนไลน์

    ReplyDelete
  10. pavithra dassApril 1, 2019 at 5:54 AM

    You wrote a such a nice blog!! It is very useful for my future reference. All the info you shared with us are truly tremendous.
    Angularjs Training in Chennai
    Angularjs course in Chennai
    Selenium Training in Chennai
    Software Testing Training in Chennai
    Java Training in Chennai
    AngularJS Training in Anna Nagar
    AngularJS Training in T Nagar

    ReplyDelete
  11. IT TutorialsJuly 29, 2019 at 7:04 AM



    Get the most advanced AWS Course by Professional expert. Just attend a FREE Demo session.
    For further details call us @ 9884412301 | 9600112302
    AWS training in chennai | AWS training in velachery

    ReplyDelete
  12. IT TutorialsJuly 31, 2019 at 1:34 AM




    Get the most advanced Python Course by Professional expert. Just attend a FREE Demo session.
    For further details call us @ 9884412301 | 9600112302
    Python training in chennai | Python training in velachery

    ReplyDelete

Subscribe to: Post Comments (Atom)