Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Repository for Software Certs for easy software blocking across corp environments, for example, using MDE IOC

Notifications You must be signed in to change notification settings

jkerai1/SoftwareCertificates

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub stars GitHub forks GitHub issues GitHub pulls

SoftwareCertificates

Repository for Software Certs for easy software blocking (or allowing) across corp environments, for example, using MDE IOC/AppLocker/WDAC/ Intune Remediation Script/ Intune EPM (I would recommend Reusable settings here)

WDAC is the preferred and best method for blocking executables but can be a monster to tackle and maintain with the possibility to brick a machine, if you need intend to rollout WDAC I recommend to check this out before doing so.

⚠️Caution: Some Certs for unsanctioned applications may be used for other applications from the same org that may be legitimate e.g. BlueJeans Conferencing (sanctioned) BlueJeans Remote Desktop Control (unsanctioned) ⚠️

⚠️ Please do not upload these certs en masse without checking, you may be impacting a user or service - there is no native way to bulk upload indicators in the MDE portal!⚠️

App Ref: https://appwiki.checkpoint.com/appwikisdb/public.htm or https://getintopc.com/all-software-categories/

Of course there are ways around Cert Blocking (e.g. ImageRemoveCertificate API, signTool, wait for certificate thumbprint to rotate, SigThief, delcert - more opportunities for detection😉). See Testing Manipulated Executables

Useful Ref For Programs people install on fresh desktop: https://ninite.com/ (also worth blocking ninite's cert)

How to block a certificate in MDE?

Note that Certificate thumbprints will rotate as certificates are rolled so this is NOT the best way to block applications, WDAC is the best preferred method to block applications, see early note on WDAC. After you block a certificate ensure to block any URLs the user may grab the executable from to prevent rolled certificates.

Download the Repo by hitting the "Code button" then "Download Zip"

Unzip the downloaded folder

image

From Defender navigate to Settings > Endpoints > Indicators and then the "certificates" tab on the right of the sub menu

image

Then hit "add Item" next to the plus

Browse for the certificate from the unzipped folder. Fill in the title and description

image

Hit Next. The default mode is "allow" so change this to "Block And Remediate" and then hit next

image

Set the Scope of the block, then hit "next" and then "finish"

Example:
image

To Export Software Certificates - Pull Requests Welcome:

Looking to automate this process with Python but for now see below

Right Click on Exe, Select Properties:

Go To Digital Signature Tab:
image

Click details then View Certificate:

image
image

Details Tab:
image

Copy To File:
image

Export as Cer:
image

KQL

Monitor Blocks - Sentinel + DeviceFileCertificateInfo Table:

DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ThreatName contains "EUS:Win32/Custom" and ActionType == "AntivirusDetection") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| join kind=leftouter DeviceFileCertificateInfo on SHA1
|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
|extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize by FileName, RemoteUrl,DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, SHA1, VT_hash, VT_domain

Note you cannot use DeviceNetworkEvents for this because of how MDE performs TCP handshake

If you don't ingest DeviceFileCertificateInfo to sentinel you can use Advanced Hunting instead:

DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and todynamic(AdditionalFields).Experience == "CustomBlockList") or (todynamic(AdditionalFields).ThreatName contains "EUS:Win32/Custom" and ActionType == "AntivirusDetection") or ((todynamic(AdditionalFields).ResponseCategory) == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
|extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| summarize by FileName, RemoteUrl,DeviceName, Signer, InitiatingProcessAccountName, InitiatingProcessFileName, SHA1, VT_hash, VT_domain

Find Unusual Software Certificates:

DeviceFileCertificateInfo
| join DeviceFileEvents on SHA1
//|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
| summarize count() by Signer //FileName,SHA1,Issuer,FileOriginUrl
| where Signer !contains "Google "
| where not(Signer has_any("Intel","fortinet",".net","citrix","microsoft","HP Inc.","adobe","cisco","Avaya Inc.","Zoom Video Communications, Inc.","zscaler","oracle","Advanced Micro Devices Inc.","Lenovo","Hewlett-Packard Company","RingCentral","Symantec","Mozilla","Dell Technologies Inc.")) 
| order by count_

How to Upload the Bulk IOC CSV to MDE (Bulk-IOC-CSVs Folder)

⚠️ Potential Business Impact if you upload without running a KQL against the CSV first

As of 13/03/2023, certificates cannot be uploaded in bulk, however for domains, urls and hashes and note there is a limit of 500 for bulk upload, the current typosquat lists will not work as they are too large:

Also note all Block lists with merge with MDA Unsanctioned apps so no need to deduplicate manually

Find the CSV of interest (after checking for business impact by checking it with a KQL query) and click on download from the Bulk-IOC-CSVs Folder

aaadsa

Note that the raw button will take you to the raw table, it is the URL of this that you need to ingest as KQL, see example

From Defender, Go To Settings on bottom left:
image

Then Endpoints:
image

Indicators then Import - note it it doesn't matter whether you are in File Hash,Domain, IP or Cert tab:

image

Choose the File you downloaded in the first step, then hit Import then Hit Done - note that duplicates are skipped so you can keep adding to the existing CSV:

image

Python Bulk Ripper

Work In Progress

Testing Tampered Executables

https://github.com/jkerai1/SoftwareCertificates/tree/main/Manipulated%20Exes%20For%20Testing

See also A good article on abusing code signing certs

Stop Users Walking past blocks

Make sure users cannot override SmartScreen setting in windows settings – lives under App and Browser Control.
Unticking Smartscreen for edge allows access the custom IOCs because they share the same service (this can be noted in the KQL also)

image

image

Some 3rd party browsers can walk past URL blocks, Seamonkey for example.

MDA

https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/MDA

Intune

https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs/Intune

See More From Me on IOC Blocking!

Block TypoSquats in MDE/TABL GitHub stars
Block Malicious Sites from JoeSandbox in MDE/TABL GitHub stars
Block Suspicious TLDs in TenantAllowBlockList GitHub stars