Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve signature verification in VM-Assert-Signature #1144

Open
Ana06 opened this issue Oct 1, 2024 · 1 comment
Open

Improve signature verification in VM-Assert-Signature #1144

Ana06 opened this issue Oct 1, 2024 · 1 comment
Labels
💎 enhancement It is working, but it could be better ❔ discussion Further discussion is needed
Milestone
FLARE-VM 2024 Q4-P1

Comments

@Ana06
Copy link
Member

Ana06 commented Oct 1, 2024

Details

The current implementation of VM-Assert-Signature uses Get-AuthenticodeSignature status. Reading Microsoft documentation, I understand that this only checks that the file has a syntactically syntactically valid signature, I think we should instead verify the signing authority, for example using signtool.exe:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify /pa /all /tw /v /d googlechromestandaloneenterprise64.msi

This works well for Google Chrome, Sysinternals and Metasplot, but not for RegCool. I suggest using hashes again in RegCool. Should we also replace it in the configuration by total-registry to avoid that updates break the tool leaving FLARE-VM without a registry tool?
@Ana06 Ana06 added this to the FLARE-VM 2024 Q4-P1 milestone Oct 1, 2024
@Ana06 Ana06 added 💎 enhancement It is working, but it could be better ❔ discussion Further discussion is needed labels Oct 1, 2024
@Ana06
Copy link
Member Author

Ana06 commented Oct 1, 2024

It may also be possible to validate the signature of RegCool using signtool, but I am not sure how. Can someone help here? @mandiant/vms

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
💎 enhancement It is working, but it could be better ❔ discussion Further discussion is needed
Projects
None yet
Milestone
FLARE-VM 2024 Q4-P1
Development

No branches or pull requests
1 participant
@Ana06