SigFinder icon indicating copy to clipboard operation
SigFinder copied to clipboard

Published 20 hours ago verified publisher icon mlcsec

Metadata

Identify binaries with Authenticode digital signatures signed to an internal CA/domain

SigFinder

Identify binaries with Authenticode digital signatures signed to an internal CA/domain. Useful for enumerating Windows directory paths referenced in WDAC policies or searching for internal LOB applications.

C:\Tools> SigFinder.exe
Usage: SigFinder.exe <directoryPath> [-ignore <string1>,<string2>,...] [-recursive] [-domain <domain>]

Optional flags:

  • -ignore - ignore all certificates containing supplied string/comma seperated strings
  • -recursive - recursively check for certificates from the provided directory path
  • -domain - only display certificates containing the the domain keyword

sigfinder


NOTE

Add quotes to directory paths containing spaces and either REMOVE the trailing backslash or ADD a backslash:

beacon> executeInline-Assembly --dotnetassembly C:\Tools\SigFinder.exe "C:\Program Files" -ignore microsoft
beacon> executeInline-Assembly --dotnetassembly C:\Tools\SigFinder.exe "C:\Program Files\\" -ignore microsoft

Your beacon WILL DIE if you don't.

Metadata

34
Stars
3
Forks
Watchers

Owner

verified publisher icon mlcsec

Metadata

Identify binaries with Authenticode digital signatures signed to an internal CA/domain

Back