Just got a new gadget in the lab. An EV Code Signing Certificate. The certificate is stored in a password protected USB token, effectively enforcing 2FA to sign the code. This makes it easy to identify our known good code with tools like ThreatLocker. Instead of adding countless hashes to a ThreatLocker Policy, we need only enter one certificate.
You mentioned DattoRMM components didn’t you?
Ah yes, thanks for bringing that up. When a component is run, Datto RMM takes the contents of the component, whatever you typed or pasted into the command field, and creates a file called command.ps1 with it.
Ill save you a couple hours here. I saw that the file looked to match the text pasted into the component, so i figured I would just paste the code to a ps1 file, sign it, then paste the signed code into the component. I lost HOURS trying to figure out why that wasnt working. Turns out, Datto creates the file with Byte Order Marking,.. so the encoding of the file is “UTF-8 with BOM”, instead of just “UTF-8”. This was making the hash not match causing the signature to fail. The fix is to change the encoding of your source file to match what Datto is going to create before signing. Also note that when you sign a PS1 file, a blank line is added after the signature, it will need to be copied as well, or the file will show as not signed.
Does RMM care if the file is signed?
No, not at all. Datto sets the execution policy to Bypass when it runs a powershell component. The end result is if your RMM account is breached, there isn’t anything in the RMM to prevent the attacker from completely hosing your clients. However adding a layer like ThreatLocker will prevent any code from running that isnt pre-approved. You can pre-approve by location, hash, or certificate. If you approve the location, you have opened the same door, where an attacker can do anything if your RMM is breached. However adding hash or cert will prevent an attacker from creating or altering a component to perform malicious actions on your clients using your RMM. The problem with Hashes is its unique per component, and changes if you change a single character in the component. By signing the code, you need only enter one item into ThreatLocker. Then be sure to re-sign any code that you change or alter.