Windows.Forensics.CertUtil v Windows.Detection.CryptnetUrlCache

[randomaccess3]

Doing an evaluation of these two artefacts and they have quite a lot of crossover.
Would likely be worth merging them together and having a multicell notebook as output.

I'm thinking there should be one that shows the parsed data from the metadata folder
then another one filtered down for the allowlist to highlight any suspicious entries
and a third that does the file sig/magic/header analysis and highlights any entries specifically that arent certificates or whatever the other file that typically is in there. (Currently the detection artifact has the check for MZ headers, but you could just as easily have bat/ps1s in there and that would get missed. Would likely be better to display anything that's more unique - could even have a fourth cell that has a count per file signature)

[mgreen27]

The detection actually is a whitelist thats checking for certificate headers. It also has a size option so you can search with size instead if you like. The goal was exactly what you suggested finding a anomalies opposed to looking for binaries. It should also detect scripts assuming they are not prefixed with one of the headers 😄

The main benefit from the forensics is it leverages our binary parser and parses entries. We can look at merging the two as I think I wrote the detection prior to knowing about binary parser.

[randomaccess3]

Yeah I think that's how it went too - they both have great functionality but if you want to merge them together then I'll gladly throw some stuff against them. They look like complementary approaches so ideally it would just be one rationalised artifact that does all the things (since we run both anyways).

Something I need to test is how it goes identifying other executable formats (particularly scripts) which is why it may be better off not having the filter for MZ but rather the "show me everything that isnt one of the formats we expect"