mandiant / VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
Apache License 2.0
147 stars 67 forks source link

Improve signature verification in VM-Assert-Signature #1144

Closed Ana06 closed 1 week ago

Ana06 commented 1 month ago

Details

The current implementation of VM-Assert-Signature uses Get-AuthenticodeSignature status. Reading Microsoft documentation, I understand that this only checks that the file has a syntactically syntactically valid signature, I think we should instead verify the signing authority, for example using signtool.exe:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify /pa /all /tw /v /d googlechromestandaloneenterprise64.msi

This works well for Google Chrome, Sysinternals and Metasplot, but not for RegCool. I suggest using hashes again in RegCool. Should we also replace it in the configuration by total-registry to avoid that updates break the tool leaving FLARE-VM without a registry tool?

Ana06 commented 1 month ago

It may also be possible to validate the signature of RegCool using signtool, but I am not sure how. Can someone help here? @mandiant/vms

Ana06 commented 2 weeks ago

I am also not sure which package we need to install to ensure signtool.exe is installed. It is not installed in my VM before installing FLARE-VM, but it is there after. :female_detective:

Ana06 commented 2 weeks ago

It seems vcbuildtools.vm installs it. We could require vcbuildtools.vm as dependency in the packages using this function and access the tool with:

$signtoolPath = Get-ChildItem -Path "C:\Program Files*\Windows Kits\10\bin\*\x86\signtool.exe" | Select -Last 1
& $signtoolPath verify /pa /all /tw /q $filePath