Repository for Software Certs for easy software blocking (or allowing) across corp environments, for example, using MDE IOC/AppLocker/WDAC
Caution: Some Certs for unsanctioned applications may be used for other applications from the same org that may be legitimate e.g. BlueJeans Conferencing (sanctioned) BlueJeans Remote Desktop Control (unsanctioned)
Please do not bulk upload these certs without checking, you may be impacting a user or service!
App Ref: https://appwiki.checkpoint.com/appwikisdb/public.htm or https://getintopc.com/all-software-categories/
Of course there are ways around Cert Blocking (e.g. ImageRemoveCertificate API, signTool, SigThief, delcert - more opportunities for detection😉). See Testing Manipulated Executables
Useful Ref For Programs people install on fresh desktop: https://ninite.com/ (also worth blocking ninite's cert)
Download the Repo by hitting the "Code button" then "Download Zip"
Unzip the downloaded folder
From Defender navigate to Settings > Endpoints > Indicators and then the "certificates" tab on the right of the sub menu
Then hit "add Item" next to the plus
Browse for the certificate from the unzipped folder. Fill in the title and description
Hit Next. The default mode is "allow" so change this to "block" and then hit next
Set the Scope of the block, then hit "next" and then "finish"
Example:
Looking to automate this process with Python but for now see below
Right Click on Exe, Select Properties:
Go To Digital Signature Tab:
Click details then View Certificate:
Details Tab:
Copy To File:
Export as Cer:
Monitor Blocks:
DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ThreatName contains "EUS:Win32/Custom" and ActionType == "AntivirusDetection") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| summarize by FileName, RemoteUrl,DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, SHA1
Find Unusual Software Certificates:
DeviceFileCertificateInfo
| join DeviceFileEvents on SHA1
| summarize count() by Signer //FileName,SHA1,Issuer,FileOriginUrl
| where Signer !contains "Google "
| where not(Signer has_any("Intel","fortinet",".net","citrix","microsoft","HP Inc.","adobe","cisco","Avaya Inc.","Zoom Video Communications, Inc.","zscaler","oracle","Advanced Micro Devices Inc.","Lenovo","Hewlett-Packard Company","RingCentral","Symantec","Mozilla","Dell Technologies Inc."))
| order by count_
As of 13/03/2023, certificates cannot be uploaded in bulk, however for domains, urls and hashes:
From Defender, Go To Settings on bottom left:
Then Endpoints:
Indicators then Import - note it it doesn't matter whether you are in File Hash,Domain, IP or Cert tab:
Choose File, then hit Import then Hit Done - note that duplicates are skipped so you can keep adding to the existing CSV:
Work In Progress
https://github.com/jkerai1/SoftwareCertificates/tree/main/Manipulated%20Exes%20For%20Testing
See also A good article on abusing code signing certs
Block TypoSquats in MDE/TABL
Block Malicious Sites from JoeSandbox in MDE/TABL
Block Suspicious TLDs in TenantAllowBlockList
