Skip to content
Binaries, PowerShell scripts and information about Digital Signature Hijacking.
Branch: master
Clone or download
Latest commit ae97678 Nov 7, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
Hijack-Certificates Update Nov 6, 2017
Metadata Update Nov 7, 2017
Signature-Validation Update Nov 6, 2017
DigitalSignature-Hijack.ps1 Update DigitalSignature-Hijack.ps1 Nov 6, 2017

Digital Signature Hijack

Hijacking legitimate digital signatures is a technique that can be used during red team assessments in order to sign PowerShell code and binaries. This could assist to bypass Device Guard restrictions and maintain stealthy in an engagement. DigitalSignatureHijack is a PowerShell script based on Matt Graeber research that can perform the following operations:

  • Digitally sign all portable executables on the host as Microsoft
  • Digitally sign all powershell scripts on the host as Microsoft
  • Validate the digital signature for all portable executables
  • Validate the digital signature for all powershell scripts

This is achieved by hijacking the registry and adding the necessary values and by utilizing the custom SIP dll file that Matt Graeber developed. Users need to modify the path of MySIP.dll to their local path.


Signing Portable Executables


Signature Validation


Signing PowerShell Scripts


Signature Validation




  • The purpose of this repository is to store compiled DLL's, binaries, scripts and to centralize existing information about digital signature hijacking. All the credits are going to the original authors of these tools.
  • The binaries and the DLL which are stored in this repository have not been modified from their original state and they are totally safe. However if for any reason you don't trust this repository the original repositories which contain the source code of these tools are provided in order to compile them by yourself.


You can’t perform that action at this time.