search

WithSecureLabs / lolcerts

A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
Apache License 2.0
327 stars 27 forks source link

Adding 'Name of Signer' #3

Open wikijm opened 7 months ago

wikijm commented 7 months ago

Hi,

Would it be possible to add 'Name of signer' value?

For example, by taking the case of AnyDesk as described on article https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/, all files signed with 'Name of signer' = 'philandro Software GmbH' must be considered as potentially signed with a compromised code signing certificate.

This way, we can consider to initiate Threat Hunting based on that value, and create block/autoquarantine rules based on it.

Thanks!

Regards, WikiJM

RiccardoAncarani commented 7 months ago

Hi,

Thanks for opening the issue. Initially I planned to only include serial numbers and thumbprints, would the additional field "name of signed" give more information or allow you to find more things that now are not possible or would it be mostly for convenience?

Thanks

wikijm commented 7 months ago

Hi Riccardo,

Thanks for your answer.

I'm looking at different EDR solutions, and I see that you can hunt files and processes based on Publisher name with SentinelOne: https://github.com/acquiredsecurity/Sentinel-One-STAR-Rules-Threat-Hunts/blob/c3e62012f500e279ad84a07e6451f32143771abe/STAR/Malware%3AHermetic%20Wiper#L7 image

My idea is to regularly check your repo as I'm doing for LOLBINs and LOLDrivers, then hunt for potentially dangerous activity on my infrastructure and related assets.

RiccardoAncarani commented 7 months ago

Hi,

I don't have access to a S1 tenant myself so won't be able to test this, but perhaps could you check if the data model allows to query certificates using other fields like serial number or thumbprint? Couldn't find too much online, but in case that's not available we can possibly include that field as well.

wikijm commented 7 months ago

I can confirm that today there is no way to hunt with other fields you're referring to, sadly.

It is not something you're aims project aims to handle, but most of the time the publisher name seen on the certificate matches the name of the editor on the Apps and Features on Windows OS or similar on MacOS. My assumption is we can then use this info to track apps that are signed/provided by a compromised/suspicious editor, which can be nice 😃