-
Notifications
You must be signed in to change notification settings - Fork 160
How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
Violet edited this page Dec 13, 2023
·
2 revisions
Here is a PowerShell script that can display the changes in User and Local Machine Certificate Stores in Real Time. It performs the check every 3 seconds. The script is published to PowerShell Gallery and you can easily install it using the following command:
Install-Script -Name Certificates-Change-Detection -Force
#Requires -RunAsAdministrator
#Requires -Version 7.3
# Custom colors
[scriptblock]$WritePink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Blink)$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteMintGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Blink)$($args[0])$($PSStyle.Reset)" }
# Create variables to store the initial certificates for both locations
$InitialLocal = Get-ChildItem Cert:\LocalMachine\* -Recurse
$InitialUser = Get-ChildItem Cert:\CurrentUser\* -Recurse
# Create a loop that runs indefinitely
while ($true) {
# Create variables to store the current certificates for both locations
$CurrentLocal = Get-ChildItem Cert:\LocalMachine\* -Recurse
$CurrentUser = Get-ChildItem Cert:\CurrentUser\* -Recurse
# Compare the variables and check if there is any difference in certificates for LocalMachine
$DifferenceLocal = Compare-Object $InitialLocal $CurrentLocal
# Compare the variables and check if there is any difference in certificates for CurrentUser
$DifferenceUser = Compare-Object $InitialUser $CurrentUser
# If there is any difference in certificates for LocalMachine, display it and update the initial variable
if ($DifferenceLocal) {
foreach ($Diff in $DifferenceLocal) {
# Check if the change is an addition or a removal based on the side indicator
if ($Diff.SideIndicator -eq '=>') {
&$WritePink "Certificate Added to LocalMachine at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')"
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,192,203))"
$Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject
}
elseif ($Diff.SideIndicator -eq '<=') {
&$WriteMintGreen "Certificate Removed from LocalMachine at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')"
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(152,255,152))"
$Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject
}
}
$InitialLocal = $CurrentLocal
}
# If there is any difference in certificates for CurrentUser, display it and update the initial variable
if ($DifferenceUser) {
foreach ($Diff in $DifferenceUser) {
# Check if the change is an addition or a removal based on the side indicator
if ($Diff.SideIndicator -eq '=>') {
&$WritePink "Certificate Added to CurrentUser at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')"
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,192,203))"
$Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject
}
elseif ($Diff.SideIndicator -eq '<=') {
&$WriteMintGreen "Certificate Removed from CurrentUser at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')"
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(152,255,152))"
$Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject
}
}
$InitialUser = $CurrentUser
}
# Wait for 3 seconds before repeating the loop
Start-Sleep -Seconds 3
}
- Create AppControl Policy
- Create Supplemental Policy
- System Information
- Configure Policy Rule Options
- Simulation
- Allow New Apps
- Build New Certificate
- Create Policy From Event Logs
- Create Policy From MDE Advanced Hunting
- Merge App Control Policies
- Deploy App Control Policy
- Get Code Integrity Hashes
- Get Secure Policy Settings
- Update
- Introduction
- App Control for Lightly Managed Devices
- App Control for Fully managed device - Variant 1
- App Control for Fully managed device - Variant 2
- App Control for Fully managed device - Variant 3
- App Control for Fully managed device - Variant 4
- App Control Notes
- How to Create and Deploy a Signed App Control Policy
- Fast and Automatic Microsoft Recommended Driver Block Rules updates
- App Control policy for BYOVD Kernel mode only protection
- EKUs in App Control for Business Policies
- App Control Rule Levels Comparison and Guide
- Script Enforcement and PowerShell Constrained Language Mode in App Control Policies
- How to Use Microsoft Defender for Endpoint Advanced Hunting With App Control
- App Control Frequently Asked Questions (FAQs)
- New-WDACConfig
- New-SupplementalWDACConfig
- Remove-WDACConfig
- Edit-WDACConfig
- Edit-SignedWDACConfig
- Deploy-SignedWDACConfig
- Confirm-WDACConfig
- New-DenyWDACConfig
- Set-CommonWDACConfig
- New-KernelModeWDACConfig
- Get-CommonWDACConfig
- Remove-CommonWDACConfig
- Assert-WDACConfigIntegrity
- Test-CiPolicy
- Get-CiFileHashes
- Get-CIPolicySetting
- Create Bootable USB flash drive with no 3rd party tools
- Event Viewer
- Group Policy
- How to compact your OS and free up extra space
- Hyper V
- Overrides for Microsoft Security Baseline
- Git GitHub Desktop and Mandatory ASLR
- Signed and Verified commits with GitHub desktop
- About TLS, DNS, Encryption and OPSEC concepts
- Things to do when clean installing Windows
- Comparison of security benchmarks
- BitLocker, TPM and Pluton | What Are They and How Do They Work
- How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
- Cloning Personal and Enterprise Repositories Using GitHub Desktop
- Only a Small Portion of The Windows OS Security Apparatus
- Rethinking Trust: Advanced Security Measures for High‐Stakes Systems
- Clean Source principle, Azure and Privileged Access Workstations
- How to Securely Connect to Azure VMs and Use RDP
- Basic PowerShell tricks and notes
- Basic PowerShell tricks and notes Part 2
- Basic PowerShell tricks and notes Part 3
- Basic PowerShell tricks and notes Part 4
- Basic PowerShell tricks and notes Part 5
- How To Access All Stream Outputs From Thread Jobs In PowerShell In Real Time
- PowerShell Best Practices To Follow When Coding
- How To Asynchronously Access All Stream Outputs From Background Jobs In PowerShell
- Powershell Dynamic Parameters and How to Add Them to the Get‐Help Syntax
- RunSpaces In PowerShell
- How To Use Reflection And Prevent Using Internal & Private C# Methods in PowerShell