https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
w

William Guilherme

02/12/2021, 5:15 PM
Hi #general I am looking to build a query that can verify the chain of a certificate installed on the machine to verify it's a corporate asset. These are the two queries I've built, but I am not too sure it will achieve its purpose, which is to inspect the entire chain of certificates. Any assistance is appreciated. 
SELECT common_name, issuer, strftime('%d/m/%Y', datetime(not_valid_after, 'unixepoc')) as expiration_date FROM certificates WHERE path = "CurrentUser\Trusted Root Certification Authorities" ORDER BY common_name;
 
SELECT common_name FROM certificates WHERE common_name IN ('SGIO Test Root CA - G2' OR common_name = 'SGIO Root CA G2' OR common_name = 'SGIO Basic Assurance CA2' OR common_name = 'SGIO Basic Assurance CA2 G2' OR common_name = 'SGIO Basic Assurance CA G2');
t

theopolis

02/12/2021, 7:28 PM
Heads up that this does not verify anything, it would only ever let you know if a certificate with those properties exists on the machine.
I want to be sensitive that there are no security guarantees from reporting certificates from a certificate store.
2 Views
Powered by