Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Detects executables signed with stolen, revoked or invalid certificate

@concernedcitizen: Thanks. But I still do not know what to report and whether it is even worth reporting. I only got the screenshot in the post above. I do not even know, where it comes from. If you are concerned, please report it yourself. Thanks.
concernedcitizen

Re: Detects executables signed with stolen, revoked or invalid certificate

Others with similar detections have successfully reached out to ditekshen on https://github.com/ditekshen/detection/issues?q=is%3Aissue to get explanation/fix of false detections for their software
alexroz

Re: Detects executables signed with stolen, revoked or invalid certificate

@martin
Guest

Detects executables signed with stolen, revoked or invalid certificate

According to VirusTotal WinSCP-5.19.6-Setup.exe signed with "signed with stolen, revoked or invalid certificate"
rule INDICATOR_KB_CERT_0232466dc95b40ec9d21d9329abfcd5d {

    meta:
         author = "ditekSHen"
         description = "Detects executables signed with stolen, revoked or invalid certificate"
         thumbprint = "fb845245cfbb0ee97e76c775348caa31d74bec4c"
    condition:
        uint16(0) == 0x5a4d and
        for any i in (0..pe.number_of_signatures): (
            pe.signatures[i].subject contains "Martin Prikryl" and
            pe.signatures[i].serial == "02:32:46:6d:c9:5b:40:ec:9d:21:d9:32:9a:bf:cd:5d"
        )
}

What does it mean?