Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
w
William Guilherme
02/12/2021, 5:15 PMHi #general I am looking to build a query that can verify the chain of a certificate installed on the machine to verify it's a corporate asset. These are the two queries I've built, but I am not too sure it will achieve its purpose, which is to inspect the entire chain of certificates. Any assistance is appreciated.
SELECT common_name, issuer, strftime('%d/m/%Y', datetime(not_valid_after, 'unixepoc')) as expiration_date FROM certificates WHERE path = "CurrentUser\Trusted Root Certification Authorities" ORDER BY common_name;SELECT common_name FROM certificates WHERE common_name IN ('SGIO Test Root CA - G2' OR common_name = 'SGIO Root CA G2' OR common_name = 'SGIO Basic Assurance CA2' OR common_name = 'SGIO Basic Assurance CA2 G2' OR common_name = 'SGIO Basic Assurance CA G2');t
theopolis
02/12/2021, 7:28 PMHeads up that this does not verify anything, it would only ever let you know if a certificate with those properties exists on the machine.
I want to be sensitive that there are no security guarantees from reporting certificates from a certificate store.