EXPLORE
Sign In
← Back to Explore
kqlHunting

MalwareBazaar Certificate Blocklist Detection

This query searches for code signing certificates from MalwareBazaar's blocklist

Detection Query

//This query searches for code signing certificates from MalwareBazaar's blocklist
//Checks DeviceFileCertificateInfo for matches and can be joined with process/file events
let CodeSigningBlockList = externaldata (line: string) [@'https://bazaar.abuse.ch/export/csv/cscb/'] with (format=txt, ignoreFirstRecord=true);
CodeSigningBlockList
| where line !startswith "#"
| extend all=split(replace_string(line,@'"',""),',') //easier than parse line
| extend CertificateSerialNumber = all[1]
| extend SignerHash = tostring(all[2]) //Thumbprint
| extend Signer= (tostring(all[4]))
| extend Issuer = tostring(all[5])
| project-away line,all
| join DeviceFileCertificateInfo on Signer //Join unique records to devicefilecertinfo events
//| join kind=leftouter DeviceProcessEvents on SHA1
//| join kind=leftouter DeviceFileEvents on SHA1

Data Sources

DeviceProcessEventsDeviceFileEvents

Platforms

windows

Tags

defender
Raw Content
//This query searches for code signing certificates from MalwareBazaar's blocklist
//Checks DeviceFileCertificateInfo for matches and can be joined with process/file events
let CodeSigningBlockList = externaldata (line: string) [@'https://bazaar.abuse.ch/export/csv/cscb/'] with (format=txt, ignoreFirstRecord=true);
CodeSigningBlockList
| where line !startswith "#"
| extend all=split(replace_string(line,@'"',""),',') //easier than parse line
| extend CertificateSerialNumber = all[1]
| extend SignerHash = tostring(all[2]) //Thumbprint
| extend Signer= (tostring(all[4]))
| extend Issuer = tostring(all[5])
| project-away line,all
| join DeviceFileCertificateInfo on Signer //Join unique records to devicefilecertinfo events
//| join kind=leftouter DeviceProcessEvents on SHA1
//| join kind=leftouter DeviceFileEvents on SHA1