Tracking a stolen code-signing certificate with osquery
Detect signed malware and track stolen code-signing certificates using osquery.
Tracking a stolen code-signing certificate with osquery
Detect signed malware and track stolen code-signing certificates using osquery.
Data verified May 2026
ADYour product here. Reach security decision-makers.Launch a campaignTracking a stolen code-signing certificate with osquery Description
Recently, 2.27 million computers running Windows were infected with malware signed with a stolen certificate from the creators of a popular app called CCleaner, and inserted into its software update mechanism. Fortunately, signed malware is now simple to detect with osquery thanks to a pull request submitted by our colleague Alessandro Gario that adds Windows executable code signature verification (also known as Authenticode). This post explains the importance of code signatures in incident response, and demonstrates a use case for this new osquery feature by using it to detect the recent CCleaner malware. If you are unfamiliar with osquery, take a moment to read our previous blog post in which we explain why we are osquery evangelists, and how we extended it to run on the Windows platform. Part of osquery’s appeal is its flexibility and open-source model – if there’s another feature you need built, let us know! Code-signed malware Code signing was intended to be an effective deterrent against maliciously modified executables, and to allow a user (or platform owner) to choose whether to run executables from untrusted sources. Unfortunately, on general-purpose computing platforms like Windows, third-party software vendors are individually responsible for protecting thei
Tracking a stolen code-signing certificate with osquery FAQ
Common questions about Tracking a stolen code-signing certificate with osquery including features, pricing, alternatives, and user reviews.
Tracking a stolen code-signing certificate with osquery is Detect signed malware and track stolen code-signing certificates using osquery. It is a Security Operations solution designed to help security teams with Osquery, Binary Analysis.
Tracking a stolen code-signing certificate with osquery is a free Security Operations tool. This makes it accessible for organizations of all sizes, from startups to enterprises. Visit https://blog.trailofbits.com/2017/10/10/tracking-a-stolen-code-signing-certificate-with-osquery/ for download and installation instructions.
Popular alternatives to Tracking a stolen code-signing certificate with osquery include:
1.ReversingLabs Spectra Analyze - Malware analysis platform for SOC teams with binary analysis and threat detection (Commercial)
2.Joe Sandbox DEC - Plugin that decompiles malware PE files into readable C code using hybrid analysis. (Commercial)
3.Joe Security Joe Reverser - Agentic AI tool for automated malware reverse engineering & phishing analysis. (Commercial)
4.RevEng.AI - AI-powered binary analysis platform for reverse engineering & malware analysis. (Commercial)
5.de4dot - An open source .NET deobfuscator and unpacker that restores packed and obfuscated assemblies by reversing various obfuscation techniques. (Free)
Compare these tools and more at https://cybersectools.com/categories/security-operations
Tracking a stolen code-signing certificate with osquery is for security teams and organizations that need Osquery, Binary Analysis. It's particularly suitable for small to medium-sized teams looking for cost-effective solutions. Other Security Operations tools can be found at https://cybersectools.com/categories/security-operations
Have more questions? Browse our categories or search for specific tools.
