Windows digital signature bypassed with two registry edits
The DerbyCon keynote covered why security research is an approachable field, as well as how to bypass a Windows digital signature check to run unwanted code.
LOUISVILLE, Ky. -- Despite being considered the gold standard for code authentication, Windows digital signature protection can be defeated simply and should not be relied on exclusively to authenticate binary files, according to a researcher speaking at DerbyCon 7.0.
Matt Graeber, security researcher for SpecterOps Inc., a cybersecurity company headquartered in McLean, Va., showed how two simple registry key edits could bypass Windows digital signature checks and allow a malicious actor to run code.
Graeber said digital signatures are meant to achieve two things: informing you of the entity that signed the code and guaranteeing the integrity of the binary. "After it was signed, was it corrupted or backdoored in some way so that the hashes would not match?"
Graeber was careful to note that passing a Windows digital signature check was not in itself evidence that code was benign, as the recent CCleaner incident proved.
"The attackers who compromised the [CCleaner] signing infrastructure signed a malicious update. So, really, all a digital signature guarantees as far as the entity is concerned is that whoever controls the private key is that entity," Graeber said. "In the case of [CCleaner], it was the attackers who were the verified entity in that case."
Graeber expanded on this in his white paper, "Subverting Trust in Windows," and wrote that aside from validating the source and integrity of signed code, "code signing and trust validation are also critical malware classification components for many security products."
"Proper trust validation also serves as an enforcement component of most application whitelisting solutions," Graeber wrote. "Subverting the trust architecture of Windows, in many cases, is also likely to subvert the efficacy of security products."
Graeber found the Windows digital signature checks could be fooled by modifying one of two registry values. One would return "the same Microsoft certificate for any executable file, whether it has an embedded Authenticode signature or not," while the other would allow a file that had a legitimate Authenticode certificate embedded in it to pass verification, even if there was a hash mismatch -- because the certificate was taken from other valid code.
Bypassing the Windows digital signature
Matt Graebersecurity researcher for SpecterOps
In the demonstration, Graeber used a system where only Microsoft signed code was whitelisted. By changing the values of those registry keys, he could make the Windows digital signature check show as valid for Hello World code, as long as there was a Microsoft certificate embedded in it.
"I can be whoever I want to be by flipping those two registry values," Graeber told the DerbyCon crowd. He admitted he had admin rights, but said that doesn't diminish the risk. "I can be Microsoft or Google, or anyone on this compromised system, but I didn't drop any malicious code to achieve this attack by modifying registry values. I can do that remotely, so it's not going to be that hard to get admin privileges."
Graeber said this Windows digital signature check and Device Guard bypass will likely also bypass other application-whitelisting solutions, and it ultimately "breaks the concept of trust."
Rather than leaving Windows trust only to signature validation, Graeber suggested taking a more holistic approach and using other methods to "establish multiple data points" when validating trust, including the use of online reputation services. He also said these types of attacks are pretty easy to detect and noted that he had made a tool that could scan for the registry value changes at scale.
"I want to try to inspire people here, especially if you're new to infosec," Graeber said. "I know we have a lot of veterans here. I'm standing in front of a lot of my heroes and mentors as I speak, so that's extremely humbling. I don't consider myself an L337 researcher; I'm just like everybody else, but there's a particular approach I take to security research that I think is ultimately very approachable."