osq-ext-bin
osq-ext-bin copied to clipboard
Feature Request: Add Authenticode Signature information to win_process_events
Both Sysmon & PolyLogyX are missing the ability to see if a process is a trusted process with authenticode/signatures. Please add a check or flag to enable authenticode checking. Currently I am using this query for the results:
SELECT process.pid, process.path, signature.result FROM processes as process LEFT JOIN authenticode AS signature ON process.path = signature.path;
@ion-storm you are absolutely correct in pointing out that we don't directly store authenticode signature. The reason being how we receive these events via process and image load callbacks and store them in their respective tables.
Since during Image load callbacks we already store this information per image in our table and these computations being performance intensive so we kept it at one place only.
But will think of a way to do it in some non repetitive and to keep the perf in check as well.
Noted for future releases. Thank you.