Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve VM-Assert-Signature & restore hash installation for RegCool #1157

Merged
merged 2 commits into from
Nov 14, 2024

Conversation

Ana06
Copy link
Member

@Ana06 Ana06 commented Nov 6, 2024

The current implementation of VM-Assert-Signature uses Get-AuthenticodeSignature status, that only checks that the file has a syntactically syntactically valid signature. Verify the signing authority using signtool.exe.

This new signature verification using signtool.exe does not work for RegCool. Restore the previous installation checking the SHA256. As the tool is using a URL that does not include the version, the hash will change with every update, breaking the package. If the package is updated often, we will need to remove it from the default configuration (replacing it total-registry) or researching if it is possible to use signtool.exe to verify the package. I suggest we discuss this outside this PR.

Note that the current regcool.vm package implementation being replaced in this PR had an important bug: VM-Assert-Signature was not called at all, as Get-ChildItem -Path "$toolDir\*.{exe,dll}" does not match any file.

Closes #1144

@Ana06 Ana06 added the 💎 enhancement It is working, but it could be better label Nov 6, 2024
@Ana06 Ana06 requested a review from emtuls November 6, 2024 11:48
@Ana06 Ana06 self-assigned this Nov 6, 2024
Ana06 added 2 commits November 6, 2024 13:09
The current implementation of `VM-Assert-Signature` uses
`Get-AuthenticodeSignature` status, that only checks that the file has a
syntactically syntactically valid signature. Verify the signing
authority using `signtool.exe`.
The new signature verification in `CM-Assert-Signature` using
`signtool.exe` does not work for RegCool. Restore the previous
installation checking the SHA256. As the tool is using a URL that does
not include the version, the hash will change with every update,
breaking the package. If the package is updated often, we will need to
remove it from the default configuration (replacing it total-registry)
or researching if it is possible to use `signtool.exe` to verify the
package.

Note that the previous package implementation being replaced here had an
important bug: `VM-Assert-Signature` was not called at all, as
`Get-ChildItem -Path "$toolDir\*.{exe,dll}"` does not match any file.
Copy link
Member

@emtuls emtuls left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome. Looks good! Thank you @Ana06 !

@Ana06 Ana06 merged commit 3346f91 into mandiant:main Nov 14, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
💎 enhancement It is working, but it could be better
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improve signature verification in VM-Assert-Signature
2 participants