Decode SignInfoFlags
The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables.
EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#event_simpleName=ProcessRollup2 UserSid=/^S-1-5-21-/ SignInfoFlags=*
| bitfield:extractFlags(
field=SignInfoFlags,
output=[
[0,SIGNATURE_FLAG_SELF_SIGNED],
[1,SIGNATURE_FLAG_MS_SIGNED],
[2,SIGNATURE_FLAG_TEST_SIGNED],
[3,SIGNATURE_FLAG_MS_CROSS_SIGNED],
[4,SIGNATURE_FLAG_CAT_SIGNED],
[5,SIGNATURE_FLAG_DRM_SIGNED],
[6,SIGNATURE_FLAG_DRM_TEST_SIGNED],
[7,SIGNATURE_FLAG_MS_CAT_SIGNED],
[8,SIGNATURE_FLAG_CATALOGS_RELOADED],
[9,SIGNATURE_FLAG_NO_SIGNATURE],
[10,SIGNATURE_FLAG_INVALID_SIGN_CHAIN],
[11,SIGNATURE_FLAG_SIGN_HASH_MISMATCH],
[12,SIGNATURE_FLAG_NO_CODE_KEY_USAGE],
[13,SIGNATURE_FLAG_NO_PAGE_HASHES],
[14,SIGNATURE_FLAG_FAILED_CERT_CHECK],
[15,SIGNATURE_FLAG_NO_EMBEDDED_CERT],
[16,SIGNATURE_FLAG_FAILED_COPY_KEYS],
[17,SIGNATURE_FLAG_UNKNOWN_ERROR],
[18,SIGNATURE_FLAG_HAS_VALID_SIGNATURE],
[19,SIGNATURE_FLAG_EMBEDDED_SIGNED],
[20,SIGNATURE_FLAG_3RD_PARTY_ROOT],
[21,SIGNATURE_FLAG_TRUSTED_BOOT_ROOT],
[22,SIGNATURE_FLAG_UEFI_ROOT],
[23,SIGNATURE_FLAG_PRS_WIN81_ROOT],
[24,SIGNATURE_FLAG_FLIGHT_ROOT],
[25,SIGNATURE_FLAG_APPLE_SIGNED],
[26,SIGNATURE_FLAG_ESBCACHE],
[27,SIGNATURE_FLAG_NO_CACHED_DATA],
[28,SIGNATURE_FLAG_CERT_EXPIRED],
[29,SIGNATURE_FLAG_CERT_REVOKED]
])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.