Tracking a stolen code-signing certificate with osquery Logo

Tracking a stolen code-signing certificate with osquery

Detect signed malware and track stolen code-signing certificates using osquery.

Security Operations
Free
Visit website
0

Tracking a stolen code-signing certificate with osquery Description

Recently, 2.27 million computers running Windows were infected with malware signed with a stolen certificate from the creators of a popular app called CCleaner, and inserted into its software update mechanism. Fortunately, signed malware is now simple to detect with osquery thanks to a pull request submitted by our colleague Alessandro Gario that adds Windows executable code signature verification (also known as Authenticode). This post explains the importance of code signatures in incident response, and demonstrates a use case for this new osquery feature by using it to detect the recent CCleaner malware. If you are unfamiliar with osquery, take a moment to read our previous blog post in which we explain why we are osquery evangelists, and how we extended it to run on the Windows platform. Part of osquery’s appeal is its flexibility and open-source model – if there’s another feature you need built, let us know! Code-signed malware Code signing was intended to be an effective deterrent against maliciously modified executables, and to allow a user (or platform owner) to choose whether to run executables from untrusted sources. Unfortunately, on general-purpose computing platforms like Windows, third-party software vendors are individually responsible for protecting thei

FEATURED

Proton Pass Logo
Proton Pass

Password manager with end-to-end encryption and identity protection features

NordVPN Logo
NordVPN

VPN service providing encrypted internet connections and privacy protection

Mandos Fractional CISO Services Logo
Mandos Fractional CISO Services

Fractional CISO services for B2B companies to accelerate sales and compliance

Stay Updated with Mandos Brief

Get the latest cybersecurity updates in your inbox

TRENDING CATEGORIES

Digital Forensics and Incident Response
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
494
Offensive Security
Offensive security tools for penetration testing, red team exercises, exploit development, and ethical hacking activities.
454
Honeypots & Deception
Honeypots and cyber deception solution that simulate vulnerable systems to detect, divert, and analyze attacker activities in real time.
191
Threat Intelligence Platforms
TIP for collecting, analyzing, and sharing cyber threat data, indicators of compromise (IOCs), and threat feeds.
161
Guides
Comprehensive cybersecurity guides, best practices documentation, and implementation tutorials for security professionals.
101
View All Categories →

POPULAR

RoboShadow Logo
RoboShadow

Automated vulnerability assessment and remediation platform

10
TestSavantAI Logo
TestSavantAI

Security platform that provides protection, monitoring and governance for enterprise generative AI applications and LLMs against various threats including prompt injection and data poisoning.

5
Cybersec Feeds Logo
Cybersec Feeds

A threat intelligence aggregation service that consolidates and summarizes security updates from multiple sources to provide comprehensive cybersecurity situational awareness.

5
Fabric Platform by BlackStork Logo
Fabric Platform by BlackStork

Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.

5
Mandos Brief Newsletter Logo
Mandos Brief Newsletter

A weekly newsletter providing cybersecurity leadership insights, industry updates, and strategic guidance for security professionals advancing to management positions.

5
View Popular Tools →