← Back to Explore
crowdstrike_cqlHunting
Decode SignInfoFlags
The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20SignInfoFlags.md)
Detection Query
#event_simpleName=ProcessRollup2 UserSid=/^S-1-5-21-/ SignInfoFlags=*
| bitfield:extractFlags(
field=SignInfoFlags,
output=[
[0,SIGNATURE_FLAG_SELF_SIGNED],
[1,SIGNATURE_FLAG_MS_SIGNED],
[2,SIGNATURE_FLAG_TEST_SIGNED],
[3,SIGNATURE_FLAG_MS_CROSS_SIGNED],
[4,SIGNATURE_FLAG_CAT_SIGNED],
[5,SIGNATURE_FLAG_DRM_SIGNED],
[6,SIGNATURE_FLAG_DRM_TEST_SIGNED],
[7,SIGNATURE_FLAG_MS_CAT_SIGNED],
[8,SIGNATURE_FLAG_CATALOGS_RELOADED],
[9,SIGNATURE_FLAG_NO_SIGNATURE],
[10,SIGNATURE_FLAG_INVALID_SIGN_CHAIN],
[11,SIGNATURE_FLAG_SIGN_HASH_MISMATCH],
[12,SIGNATURE_FLAG_NO_CODE_KEY_USAGE],
[13,SIGNATURE_FLAG_NO_PAGE_HASHES],
[14,SIGNATURE_FLAG_FAILED_CERT_CHECK],
[15,SIGNATURE_FLAG_NO_EMBEDDED_CERT],
[16,SIGNATURE_FLAG_FAILED_COPY_KEYS],
[17,SIGNATURE_FLAG_UNKNOWN_ERROR],
[18,SIGNATURE_FLAG_HAS_VALID_SIGNATURE],
[19,SIGNATURE_FLAG_EMBEDDED_SIGNED],
[20,SIGNATURE_FLAG_3RD_PARTY_ROOT],
[21,SIGNATURE_FLAG_TRUSTED_BOOT_ROOT],
[22,SIGNATURE_FLAG_UEFI_ROOT],
[23,SIGNATURE_FLAG_PRS_WIN81_ROOT],
[24,SIGNATURE_FLAG_FLIGHT_ROOT],
[25,SIGNATURE_FLAG_APPLE_SIGNED],
[26,SIGNATURE_FLAG_ESBCACHE],
[27,SIGNATURE_FLAG_NO_CACHED_DATA],
[28,SIGNATURE_FLAG_CERT_EXPIRED],
[29,SIGNATURE_FLAG_CERT_REVOKED]
])
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windowslinux
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Decode SignInfoFlags
# Description of what the query does and its purpose.
description: The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables.
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Hunting
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=ProcessRollup2 UserSid=/^S-1-5-21-/ SignInfoFlags=*
| bitfield:extractFlags(
field=SignInfoFlags,
output=[
[0,SIGNATURE_FLAG_SELF_SIGNED],
[1,SIGNATURE_FLAG_MS_SIGNED],
[2,SIGNATURE_FLAG_TEST_SIGNED],
[3,SIGNATURE_FLAG_MS_CROSS_SIGNED],
[4,SIGNATURE_FLAG_CAT_SIGNED],
[5,SIGNATURE_FLAG_DRM_SIGNED],
[6,SIGNATURE_FLAG_DRM_TEST_SIGNED],
[7,SIGNATURE_FLAG_MS_CAT_SIGNED],
[8,SIGNATURE_FLAG_CATALOGS_RELOADED],
[9,SIGNATURE_FLAG_NO_SIGNATURE],
[10,SIGNATURE_FLAG_INVALID_SIGN_CHAIN],
[11,SIGNATURE_FLAG_SIGN_HASH_MISMATCH],
[12,SIGNATURE_FLAG_NO_CODE_KEY_USAGE],
[13,SIGNATURE_FLAG_NO_PAGE_HASHES],
[14,SIGNATURE_FLAG_FAILED_CERT_CHECK],
[15,SIGNATURE_FLAG_NO_EMBEDDED_CERT],
[16,SIGNATURE_FLAG_FAILED_COPY_KEYS],
[17,SIGNATURE_FLAG_UNKNOWN_ERROR],
[18,SIGNATURE_FLAG_HAS_VALID_SIGNATURE],
[19,SIGNATURE_FLAG_EMBEDDED_SIGNED],
[20,SIGNATURE_FLAG_3RD_PARTY_ROOT],
[21,SIGNATURE_FLAG_TRUSTED_BOOT_ROOT],
[22,SIGNATURE_FLAG_UEFI_ROOT],
[23,SIGNATURE_FLAG_PRS_WIN81_ROOT],
[24,SIGNATURE_FLAG_FLIGHT_ROOT],
[25,SIGNATURE_FLAG_APPLE_SIGNED],
[26,SIGNATURE_FLAG_ESBCACHE],
[27,SIGNATURE_FLAG_NO_CACHED_DATA],
[28,SIGNATURE_FLAG_CERT_EXPIRED],
[29,SIGNATURE_FLAG_CERT_REVOKED]
])
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20SignInfoFlags.md)