Detects executables signed with stolen, revoked or invalid certificate

Advertisement

Guest

Detects executables signed with stolen, revoked or invalid certificate

According to VirusTotal WinSCP-5.19.6-Setup.exe signed with "signed with stolen, revoked or invalid certificate"
rule INDICATOR_KB_CERT_0232466dc95b40ec9d21d9329abfcd5d {
    meta:
         author = "ditekSHen"
         description = "Detects executables signed with stolen, revoked or invalid certificate"
         thumbprint = "fb845245cfbb0ee97e76c775348caa31d74bec4c"
    condition:
        uint16(0) == 0x5a4d and
        for any i in (0..pe.number_of_signatures): (
            pe.signatures[i].subject contains "Martin Prikryl" and
            pe.signatures[i].serial == "02:32:46:6d:c9:5b:40:ec:9d:21:d9:32:9a:bf:cd:5d"
        )
}
What does it mean?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,469
Location:
Prague, Czechia

Re: Detects executables signed with stolen, revoked or invalid certificate

Can you post a link to that page? I was not able to find it. I do not know who @ditekshen is, and what significance does his/her rule have.
I've found that the rule was added 15 months ago and noone ever asked about it until now:
https://github.com/ditekshen/detection/commit/4a2fd52f13aaefb28681458f33b8b9afc092c161

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: Detects executables signed with stolen, revoked or invalid certificate

@concernedcitizen: Thanks. But I still do not know what to report and whether it is even worth reporting. I only got the screenshot in the post above. I do not even know, where it comes from. If you are concerned, please report it yourself. Thanks.

Reply with quote

Advertisement

You can post new topics in this forum