Adding 'Name of Signer' #3
Comments
|
Hi, Thanks for opening the issue. Initially I planned to only include serial numbers and thumbprints, would the additional field "name of signed" give more information or allow you to find more things that now are not possible or would it be mostly for convenience? Thanks |
|
Hi Riccardo, Thanks for your answer. I'm looking at different EDR solutions, and I see that you can hunt files and processes based on Publisher name with SentinelOne: My idea is to regularly check your repo as I'm doing for LOLBINs and LOLDrivers, then hunt for potentially dangerous activity on my infrastructure and related assets. |
|
Hi, I don't have access to a S1 tenant myself so won't be able to test this, but perhaps could you check if the data model allows to query certificates using other fields like serial number or thumbprint? Couldn't find too much online, but in case that's not available we can possibly include that field as well. |
|
I can confirm that today there is no way to hunt with other fields you're referring to, sadly. It is not something you're aims project aims to handle, but most of the time the publisher name seen on the certificate matches the name of the editor on the Apps and Features on Windows OS or similar on MacOS. My assumption is we can then use this info to track apps that are signed/provided by a compromised/suspicious editor, which can be nice 😃 |
Hi,
Would it be possible to add 'Name of signer' value?
For example, by taking the case of AnyDesk as described on article https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/, all files signed with 'Name of signer' = 'philandro Software GmbH' must be considered as potentially signed with a compromised code signing certificate.
This way, we can consider to initiate Threat Hunting based on that value, and create block/autoquarantine rules based on it.
Thanks!
Regards,
WikiJM
The text was updated successfully, but these errors were encountered: