The DASCLI certfind command displays all files on the endpoint which are associated with a certificate.

The files can be associated with the specified certificate ID, certificate hash, or all files with an invalid certificate.

Authentication is required to use this command.

Parameters

dascli certfind certificate_ID | hash | invalid

certificate_ID
ID of the certificate, which can be found by issuing the certificates command.
hash
Hash identifier of the certificate, which is available from the certificate store on the endpoint.
invalid
Display all files with an invalid certificate.

Output

For each file associated with a certificate, this command provides the following information. This is the same information as that provided by the find command.
  • Hash information, whether SHA256, MD5, or SHA-1.
  • Hash information, which applies to all local instances of the file.
  • Certificate details, if signed.
  • Name information, which is details on the individual named instance of the file.
  • Approval reasons, if any are available.
  • Kernel information for the state of the file as determined in the filter driver.
  • YARA classifications for the file.

This command can provide a very large amount of data if the specified certificate is widely used. To make reviewing the output easier, send the result to a text file, for example, dascli certfind invalid > C:\tmp\invalid_certs.txt.