Hunting Self-signed Certificates

Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking to PowerShell we can search for them and there is a Certificate PSDrive that will assist with our process. A key indication of self-signed certificates is the issuer and subject being the same. It is also worth noting that a CA may issue a certificate to itself to support key rollover or changes in certificate policies.

Get-ChildItem Cert: -recurse | where{$_.subject -ne $null} | where{$_.subject -eq $_.issuer} | select notbefore, notaftersubject, issuer | Out-GridView

This and more PowerShell scripts can be found on my GitHub.