Create Windows.Sysinternals.Sigcheck.yaml

[aleksost]

Inspired by the Windows.Sysinternals.Autoruns, this uses Sysinternals Sigcheck to scan for suspicious binaries.

[CLAassistant]

All committers have signed the CLA.

[scudette]

Does it provide any more information than https://docs.velociraptor.app/artifact_references/pages/windows.detection.binaryhunter/ which seems a lot more powerful.

Also it is not the best idea for all endpoints to hit up VT for all the hashes - it will exhaust API quotas and might take a long time.

[aleksost]

Does it provide any more information than https://docs.velociraptor.app/artifact_references/pages/windows.detection.binaryhunter/ which seems a lot more powerful.

Also it is not the best idea for all endpoints to hit up VT for all the hashes - it will exhaust API quotas and might take a long time.

I think you are right, I am fairly new to Velociraptor and it seems I have not spent enough time exploring the *hunter-artifacts.

Regarding VT lookups, I was thinking it would be a natural use-case to select it after scoping down the volume.

[aleksost]

I have done some testing, and I get different results from binaryhunter and sigcheck with regards to authenticode results. So in the interest of "dual-tool verification", I would argue that the sigcheck artifact could provide some value. The entropy and VT-lookup/submission functionality also has its use-cases, but it might already be covered by existing artifacts/functionality that I haven't tried yet.

[scudette]

If there are issues with authenticode calculations we should chase them down and fix them. Please consider filing an issue when you find differences in behaviour