Tracking a stolen code-signing certificate with osquery
Tags
attack-pattern: Data Model Code Signing - T1553.002 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Software - T1592.002 Tool - T1588.002 Code Signing - T1116 Powershell - T1086 Third-Party Software - T1072
Show in Graph
Common Information
Type Value
UUID e9c9ede1-a878-44d0-a976-56a21bf88a98
Fingerprint 191ccbf69d7a3632
Analysis status DONE
Considered CTI value 0
Text language
Published Oct. 10, 2017, 8:53 a.m.
Added to db Feb. 17, 2023, 9:09 p.m.
Last updated Nov. 18, 2024, 1:38 a.m.
Headline Trail of Bits Blog
Title Tracking a stolen code-signing certificate with osquery
Detected Hints/Tags/Attributes 34/1/10
Source URLs
Redirection Url
Details Source https://blog.trailofbits.com/2017/10/10/tracking-a-stolen-code-signing-certificate-with-osquery/
URL Provider
Details Provider Source level domain
Details trailofbits.com blog.trailofbits.com
Attributes
Details Type #Events CTI Value
Details Domain 16 
process.pid
Details File 1 
authenticode.cpp
Details File 99 
c:\windows\explorer.exe
Details File 1 
c:\windows\system32\sihost.exe
Details File 33 
c:\windows\system32\notepad.exe
Details File 1209 
powershell.exe
Details File 20 
c:\windows\system32\conhost.exe
Details File 1 
c:\windows\osqueryi.exe
Details md5 1 
4b48b27c8224fe37b17a6a2ed7a81c9f
Details md5 1 
52b6a81474e8048920f1909e454d7fc0