SoftwareCertificates Repository for Software Certs for easy software blocking (or allowing) across corp environments, for example, using MDE IOC/AppLocker/WDAC
Caution: Some Certs for unsanctioned applications may be used for other applications from the same org that may be legitimate e.g. BlueJeans Conferencing (sanctioned) BlueJeans Remote Desktop Control (unsanctioned)
please do not bulk upload these certs without checking, chances are it will break your environment!
For what its worth personally WDAC >>>> Applocker
App Ref: https://appwiki.checkpoint.com/appwikisdb/public.htm
Also See A good article on abusing code signing certs: https://axelarator.github.io/posts/codesigningcerts/
Of course there are ways around Cert Blocking (e.g. ImageRemoveCertificate API, signTool, SigThief, delcert - more opportunities for detection😉)
Useful Ref For Programs people install on fresh desktop: https://ninite.com/ (also worth blocking ninite's cert)
Looking to automate this process with Python but for now see below
Right Click on Exe, Select Properties:
Click details then View Certificate:
As of 13/03/2023, certificates cannot be uploaded in bulk, however for domains, urls and hashes:
From Defender, Go To Settings on bottom left:
Indicators then Import - note it it doesn't matter whether you are in File Hash,Domain, IP or Cert tab:
Choose File, then hit Import then Hit Done - note that duplicates are skipped so you can keep adding to the existing CSV:
Work In Progress
https://github.com/jkerai1/SoftwareCertificates/tree/main/Manipulated%20Exes%20For%20Testing