Giters

mlcsec / SigFinder

Identify binaries with Authenticode digital signatures signed to an internal CA/domain

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SigFinder

Identify binaries with Authenticode digital signatures signed to an internal CA/domain. Useful for enumerating Windows directory paths referenced in WDAC policies or searching for internal LOB applications.

C:\Tools> SigFinder.exe
Usage: SigFinder.exe <directoryPath> [-ignore <string1>,<string2>,...] [-recursive] [-domain <domain>]

Optional flags:

  • -ignore - ignore all certificates containing supplied string/comma seperated strings
  • -recursive - recursively check for certificates from the provided directory path
  • -domain - only display certificates containing the the domain keyword

sigfinder


NOTE

Add quotes to directory paths containing spaces and either REMOVE the trailing backslash or ADD a backslash:

beacon> executeInline-Assembly --dotnetassembly C:\Tools\SigFinder.exe "C:\Program Files" -ignore microsoft
beacon> executeInline-Assembly --dotnetassembly C:\Tools\SigFinder.exe "C:\Program Files\\" -ignore microsoft

Your beacon WILL DIE if you don't.

About

Identify binaries with Authenticode digital signatures signed to an internal CA/domain

Languages

Language:C# 100.0%