Create a goat PE that signs with a certificate missing the code signing EKU

trailofbits / pegoat

A collection of Windows binary builds containing different security mitigations

Apache License 2.0

11 stars 7 forks source link

Create a goat PE that signs with a certificate missing the code signing EKU #9

Open woodruffw opened 1 year ago

woodruffw commented 1 year ago

Specifically, it should have the following CA chain:

CA (codeSigning:TRUE) -> EE (codeSigning:FALSE)

This should be rejected by conforming Authenticode implementations.

woodruffw commented 1 year ago

(The script that generates this should probably look pretty close to the existing sign.ps1 script, but with a CA hierarchy instead of a direct cert.)