Sigcheck
How to verify file signatures using Sigcheck from the SysInternals Suite?
Last updated
How to verify file signatures using Sigcheck from the SysInternals Suite?
Last updated
SigCheck is a command line tool from the SysInternals Suite developed to scan PE files and verify if theyβre signed. A majority of malware identified in the wild is not signed, however it should be kept in mind that advanced malware have leveraged stolen certificates. SigCheck also contains an option to check files hashes against .
Unsigned files within legitimate paths such as \System32
should be investigated.
V2.90
General output of information to the command line, including: Signature Verification, Publisher Information, Entropy, Hashes, VirusTotal Detections, etc.
Scans identified directory for executable files. Results are then written to a csv file.
Additional Parameters:
-tv
and -tuv
: Lists all trusted root certificates that werenβt explicitly trusted by Microsoft. Good way to identify a cloned and trusted MS root cert.
Before running SigCheck against an acquired suspect victim machine via forensic imaging, the machines Digital Signature Catalog must be uploaded to the analysis machine. Without doing this, SigCheck will be unable to verify most of the signed file from the image.
Copy the signature folders from the victim machine image to your analysis machine:
\C\Windows\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Change the name of the GUID so that they will not conflict with the analysis machines digital signature catalog store. Move the two renamed folder to the same location as below on the analysis machine.
\C\Windows\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295E9}
Open Services.msc
, find and restart the βCryptographic Services
β service.
SigCheck may now be run against the collected victim image.