← Back to Explore
kqlHunting
Unusual Software Certificate Detection
This query looks for software certificates with low prevalence
Detection Query
//This query looks for software certificates with low prevalence
//Helps identify potentially unapproved applications in the organization
DeviceFileCertificateInfo
| join DeviceFileEvents on SHA1
//|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
| summarize count() by Signer //FileName,SHA1,Issuer,FileOriginUrl
| where Signer !contains "Google "
| where not(Signer has_any("Intel","fortinet",".net","citrix","microsoft","HP Inc.","adobe","cisco","Avaya Inc.","Zoom Video Communications, Inc.","zscaler","oracle","Advanced Micro Devices Inc.","Lenovo","Hewlett-Packard Company","RingCentral","Symantec","Mozilla","Dell Technologies Inc."))
| order by count_Data Sources
DeviceFileEvents
Platforms
windows
Tags
defender
Raw Content
//This query looks for software certificates with low prevalence
//Helps identify potentially unapproved applications in the organization
DeviceFileCertificateInfo
| join DeviceFileEvents on SHA1
//|extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
| summarize count() by Signer //FileName,SHA1,Issuer,FileOriginUrl
| where Signer !contains "Google "
| where not(Signer has_any("Intel","fortinet",".net","citrix","microsoft","HP Inc.","adobe","cisco","Avaya Inc.","Zoom Video Communications, Inc.","zscaler","oracle","Advanced Micro Devices Inc.","Lenovo","Hewlett-Packard Company","RingCentral","Symantec","Mozilla","Dell Technologies Inc."))
| order by count_