Closed Ana06 closed 1 week ago
It may also be possible to validate the signature of RegCool using signtool, but I am not sure how. Can someone help here? @mandiant/vms
I am also not sure which package we need to install to ensure signtool.exe
is installed. It is not installed in my VM before installing FLARE-VM, but it is there after. :female_detective:
It seems vcbuildtools.vm
installs it. We could require vcbuildtools.vm
as dependency in the packages using this function and access the tool with:
$signtoolPath = Get-ChildItem -Path "C:\Program Files*\Windows Kits\10\bin\*\x86\signtool.exe" | Select -Last 1
& $signtoolPath verify /pa /all /tw /q $filePath
Details
The current implementation of
VM-Assert-Signature
usesGet-AuthenticodeSignature
status. Reading Microsoft documentation, I understand that this only checks that the file has a syntactically syntactically valid signature, I think we should instead verify the signing authority, for example usingsigntool.exe
:This works well for Google Chrome, Sysinternals and Metasplot, but not for RegCool. I suggest using hashes again in RegCool. Should we also replace it in the configuration by total-registry to avoid that updates break the tool leaving FLARE-VM without a registry tool?