KQL Search

Query Details

HomeAI ToolsDevice Query

Malware Bazaar Certificate Blocklist Detection

Query

//This query searches for code signing certificates from MalwareBazaar's blocklist
//Checks DeviceFileCertificateInfo for matches and can be joined with process/file events
let CodeSigningBlockList = externaldata (line: string) [@'https://bazaar.abuse.ch/export/csv/cscb/'] with (format=txt, ignoreFirstRecord=true);
CodeSigningBlockList
| where line !startswith "#"
| extend all=split(replace_string(line,@'"',""),',') //easier than parse line
| extend CertificateSerialNumber = all[1]
| extend SignerHash = tostring(all[2]) //Thumbprint
| extend Signer= (tostring(all[4]))
| extend Issuer = tostring(all[5])
| project-away line,all
| join DeviceFileCertificateInfo on SignerHash  //Join unique records to devicefilecertinfo events
//| join kind=leftouter DeviceProcessEvents on SHA1
//| join kind=leftouter DeviceFileEvents on SHA1

Explanation

This KQL (Kusto Query Language) query is designed to identify potentially malicious code signing certificates by cross-referencing them with a blocklist from MalwareBazaar. Here's a breakdown of what the query does in simple terms:

  1. Load Blocklist Data: It retrieves a list of code signing certificates from MalwareBazaar's blocklist, which is available as a CSV file from a specified URL.

  2. Data Preparation:

    • It skips lines that start with a "#" (usually comments or headers).
    • It processes each line by removing quotes and splitting the line into components based on commas.
    • It extracts specific pieces of information from each line, such as the certificate's serial number, the thumbprint (SignerHash), the signer, and the issuer.

  3. Data Projection: It removes unnecessary columns, keeping only the relevant certificate information.

  4. Join with Device Data: It joins the processed blocklist data with the DeviceFileCertificateInfo table using the SignerHash (thumbprint) as the key. This step helps identify any certificates from the blocklist that are present on devices.

  5. Optional Joins: The query includes commented-out lines that suggest potential additional joins with DeviceProcessEvents and DeviceFileEvents tables using the SHA1 hash. These joins could be used to further investigate processes or files associated with the identified certificates.

In summary, this query is used to detect and analyze code signing certificates from a known blocklist that might be present on devices, potentially indicating malicious activity.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

DeviceFileCertificateInfo

Keywords

CodeSigningBlockListDeviceFileCertificateInfoDeviceProcessEventsDeviceFileEvents

Operators

letexternaldatawithwhere!startswithextendsplitreplace_stringtostringproject-awayjoin

Actions