Update: Sigcheck v2.4, Sysmon v3.2, Process Explorer v16.1, Autoruns v13.51, AccessChk v6.01
This update to Sigcheck, a powerful command-line utility that reports image file and signing information, as well as information on certificates, now has an option that will report any certificates installed on the system that do not chain to one of the certificates in the Microsoft certificate trust list (CTL). It also adds the ability to take image information captured from Sigcheck on a system disconnected from the Internet and obtain VirusTotal status from one that’s connected.
This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features. Thanks to David Magnotti for the contribution.
Process Explorer v16.1
Process Explorer now includes a column in the handle view that reports the text version of handle access masks, as well as several bug fixes including one that would result in the suspension of .NET threads when viewed via the stack dialog.
This release of Autoruns, a comprehensive autostart entry manager, fixes a WMI command-line parsing bug, emits a UNICODE BOM in the file generated when saving results to a text file, and adds back the ability to selectively verify the signing status of individual entries.
This release of AccessChk, a command-line utility that reports effective and actual access for many different object types including files, registry keys, and services, now handles accounts with long names, fixes a bug that prevented reporting of kernel object accesses when run elevated, and fixes the inadvertent creation of a registry key when querying a non-existent key.