Repository for Software Certs for easy software blocking (or allowing) across corp environments, for example, using MDE IOC/AppLocker/WDAC/ Intune Remediation Script
WDAC is the preferred and best method for blocking executables but can be a monster to tackle and maintain with the possibility to brick a machine, if you need intend to rollout WDAC I recommend to check this out before doing so.
App Ref: https://appwiki.checkpoint.com/appwikisdb/public.htm or https://getintopc.com/all-software-categories/
Of course there are ways around Cert Blocking (e.g. ImageRemoveCertificate API, signTool, wait for certificate thumbprint to rotate, SigThief, delcert - more opportunities for detection😉). See Testing Manipulated Executables
Useful Ref For Programs people install on fresh desktop: https://ninite.com/ (also worth blocking ninite's cert)
Note that Certificate thumbprints will rotate as certificates are rolled so this is NOT the best way to block applications, WDAC is the best preferred method to block applications, see early note on WDAC. After you block a certificate ensure to block any URLs the user may grab the executable from to prevent rolled certificates.
Download the Repo by hitting the "Code button" then "Download Zip"
Unzip the downloaded folder
From Defender navigate to Settings > Endpoints > Indicators and then the "certificates" tab on the right of the sub menu
Then hit "add Item" next to the plus
Browse for the certificate from the unzipped folder. Fill in the title and description
Hit Next. The default mode is "allow" so change this to "Block And Remediate" and then hit next
Set the Scope of the block, then hit "next" and then "finish"
Example:
Looking to automate this process with Python but for now see below
Right Click on Exe, Select Properties:
Go To Digital Signature Tab:
Click details then View Certificate:
Details Tab:
Copy To File:
Export as Cer:
Monitor Blocks - Sentinel + DeviceFileCertificateInfo Table:
DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ThreatName contains "EUS:Win32/Custom" and ActionType == "AntivirusDetection") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| join kind=leftouter DeviceFileCertificateInfo on SHA1
|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
|extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize by FileName, RemoteUrl,DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, SHA1, VT_hash, VT_domain
Note you cannot use DeviceNetworkEvents for this because of how MDE performs TCP handshake
If you don't ingest DeviceFileCertificateInfo to sentinel you can use Advanced Hunting instead:
DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and todynamic(AdditionalFields).Experience == "CustomBlockList") or (todynamic(AdditionalFields).ThreatName contains "EUS:Win32/Custom" and ActionType == "AntivirusDetection") or ((todynamic(AdditionalFields).ResponseCategory) == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
|extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| summarize by FileName, RemoteUrl,DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, SHA1, VT_hash, VT_domain
Find Unusual Software Certificates:
DeviceFileCertificateInfo
| join DeviceFileEvents on SHA1
//|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
| summarize count() by Signer //FileName,SHA1,Issuer,FileOriginUrl
| where Signer !contains "Google "
| where not(Signer has_any("Intel","fortinet",".net","citrix","microsoft","HP Inc.","adobe","cisco","Avaya Inc.","Zoom Video Communications, Inc.","zscaler","oracle","Advanced Micro Devices Inc.","Lenovo","Hewlett-Packard Company","RingCentral","Symantec","Mozilla","Dell Technologies Inc."))
| order by count_
As of 13/03/2023, certificates cannot be uploaded in bulk, however for domains, urls and hashes and note there is a limit of 500 for bulk upload, the current typosquat lists will not work as they are too large:
Also note all Block lists with merge with MDA Unsanctioned apps so no need to deduplicate manually
Find the CSV of interest (after checking for business impact by checking it with a KQL query) and click on download from the Bulk-IOC-CSVs Folder
Note that the raw button will take you to the raw table, it is the URL of this that you need to ingest as KQL, see example
From Defender, Go To Settings on bottom left:
Then Endpoints:
Indicators then Import - note it it doesn't matter whether you are in File Hash,Domain, IP or Cert tab:
Choose the File you downloaded in the first step, then hit Import then Hit Done - note that duplicates are skipped so you can keep adding to the existing CSV:
Work In Progress
https://github.com/jkerai1/SoftwareCertificates/tree/main/Manipulated%20Exes%20For%20Testing
See also A good article on abusing code signing certs
Make sure users cannot override SmartScreen setting in windows settings – lives under App and Browser Control.
Unticking Smartscreen for edge allows access the custom IOCs because they share the same service (this can be noted in the KQL also)
Some 3rd party browsers can walk past URL blocks, Seamonkey for example.
https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/MDA
https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs/Intune
Block TypoSquats in MDE/TABL
Block Malicious Sites from JoeSandbox in MDE/TABL
Block Suspicious TLDs in TenantAllowBlockList
