Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Want to get around app whitelists by pretending to be Microsoft? Of course you can...

...And here's how

Iain Thomson in San Francisco Fri 22 Sep 2017  //  22:27 UTC

DerbyCon A sprinkle of code and an understanding of the Windows digital certificate process is all that's needed for a miscreant to sneak malware past Microsoft's application whitelist within a corporate environment.

In a keynote address at the DerbyCon hacking conference in Kentucky, USA, on Friday, Matt Graeber, a security researcher with SpecterOps, detailed how he managed to disguise and run a banned software nasty as a legit whitelisted app, and thus bypass Redmond's security mechanisms.

Usually anyone trying to fool Microsoft's defenses in this way, via PowerShell, will be caught by the executable signature checks within the Get-AuthenticatedSignature function. However, according to Graeber, there’s also CryptSIPVerifyIndirectData, which can be abused to green-light malicious applications with a counterfeit signature. The only thing you need are some coding tools and, oh yeah, admin privileges on the target computer, we're told.

“By fooling PowerShell signature checking I could validate myself as anyone,” Graeber said. “I am Microsoft at this point. I can be Google, I can be anyone I want to be. I can do this remotely and it's not hard to get admin privileges.”

Graeber said that he has since verified that malware using bogus signatures to masquerade as white-listed programs can be validated and run within non-PowerShell environments on Windows. He has detailed the whitelist bypass technique in this here white paper [PDF] if you want all the techie details. ®

PS: There are other ways, of course, to run rogue programs you're not supposed to on Windows.

Send us news
19 Comments

Australia’s spies and cops want ‘accountable encryption’ - aka backdoors

And warn that AI is already being used by extremists to plot attacks

Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes

Don't get too comfortable: 'Line Dancer' malware may be targeting other vendors, too

With Run:ai acquisition, Nvidia aims to manage your AI kubes

Now Jensen has a control plane to play with his army of NIMs

Apple releases OpenELM, a slightly more accurate LLM

It's not the fastest machine learning model, but you can't have everything

Musk moves Tesla's goalposts, investors happily move shares higher

It's the millions-of-robotaxis promise again – and all y'all buying it this time, too?

Shouldn't Teams, Zoom, Slack all interoperate securely for the Feds? Wyden is asking

Doctorow: 'The most amazing part is that this isn't already the way it's done'

Now all Windows 11 users are getting adverts to 'make the Start menu great again'

And you thought the Bing begging was annoying

Lenovo and Micron first to implement LPCAMM2 in laptop

The SODIMM replacement finally arrives

Microsoft cannot keep its own security in order, so what hope for its add-ons customers?

Secure-by-default... if your pockets are deep enough

US Chamber of Commerce to sue FTC for banning noncompetes in most jobs

Senior execs making $150K+ will still have to abide by them, but they fall away for everyone else

Another Boeing whistleblower comes forward – with receipts

What's that? Q1 was better than expected? Pump those shares

Management company settles for $18.4M after nuclear weapons plant staff fudged their timesheets

The firm 'fessed up to staff misconduct and avoided criminal liability