Logic to generate Authenticode Hashes

[MattWhite-personal]

Hi, I've discovered this project after hunting around the web to try and solve a problem.

My current AppLocker policies have caused some issues with execution of legitimate code and whilst I can run these in Audit mode I need to restore normal operation.

Move away from AppLocker to WDAC or App control for business isn't viable right now (but on our roadmap).

I've realised I can pull almost all the relevant info to restore 'good' config from our MDE logs but I can't work out how to build an Authenticode SHA256 hash from what is there.

Publisher rules I can get from DeviceEvents and file hashes from DeviceFileEvents but this is just the raw sha256 hash of the file and not the Authenticode version that would be needed for a new policy.

Is this something your MDE analysis can generate and are you able to shed some light on how I can build this into what I may need to remediate?

[HotCakeX]

Hi,
The MDE Advanced Hunting data provides 4 types of hashes for each file, Flat file hash SHA1/SHA2-256 and same ones for Authenticode. So in the MDE Advanced Hunting page they are displayed as SHA1 hash and SHA256 hash in the columns. You can export the data to JSON too which is a feature I added in the last version.

You can also calculate Authenticode hashes for files using the Get Code Integrity Hashes, it can calculate SHA1, SHA2 and even SHA3 Authenticode hashes.

[MattWhite-personal]

I need to download the code and check it out. Are you able to turn the Authenticode data that's in the additional fields of the Advanced Hunting into the SHA 256 hash that's needed for AppLocker or do you need access to the original file itself?

[HotCakeX]

Yes, additional fields have the Authenticode hash values. AppControl Manager displays them in the SHA1 and SHA256 columns for you. You can use them in your AppLocker policy.

The original file itself is only needed if you want to re-calculate its hashes.