Certificates-Change-Detection.ps1
<#PSScriptInfo
.VERSION 1.0 .GUID 70755b7f-5b96-4332-a212-3102d8c17b9b .AUTHOR HotCakeX .COMPANYNAME SpyNetGirl .COPYRIGHT Violet Hansen .TAGS Certificates, Windows .LICENSEURI https://github.com/HotCakeX/Harden-Windows-Security/blob/main/LICENSE .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> <# .DESCRIPTION You can run this script and while it's running it will display any changes to the Users or local machine certificate stores in real time #> #Requires -RunAsAdministrator #Requires -Version 7.3 # Custom colors [scriptblock]$WritePink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Blink)$($args[0])$($PSStyle.Reset)" } [scriptblock]$WriteMintGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Blink)$($args[0])$($PSStyle.Reset)" } # Create variables to store the initial certificates for both locations $InitialLocal = Get-ChildItem Cert:\LocalMachine\* -Recurse $InitialUser = Get-ChildItem Cert:\CurrentUser\* -Recurse # Create a loop that runs indefinitely while ($true) { # Create variables to store the current certificates for both locations $CurrentLocal = Get-ChildItem Cert:\LocalMachine\* -Recurse $CurrentUser = Get-ChildItem Cert:\CurrentUser\* -Recurse # Compare the variables and check if there is any difference in certificates for LocalMachine $DifferenceLocal = Compare-Object $InitialLocal $CurrentLocal # Compare the variables and check if there is any difference in certificates for CurrentUser $DifferenceUser = Compare-Object $InitialUser $CurrentUser # If there is any difference in certificates for LocalMachine, display it and update the initial variable if ($DifferenceLocal) { foreach ($Diff in $DifferenceLocal) { # Check if the change is an addition or a removal based on the side indicator if ($Diff.SideIndicator -eq '=>') { &$WritePink "Certificate Added to LocalMachine at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')" $PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,192,203))" $Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject } elseif ($Diff.SideIndicator -eq '<=') { &$WriteMintGreen "Certificate Removed from LocalMachine at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')" $PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(152,255,152))" $Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject } } $InitialLocal = $CurrentLocal } # If there is any difference in certificates for CurrentUser, display it and update the initial variable if ($DifferenceUser) { foreach ($Diff in $DifferenceUser) { # Check if the change is an addition or a removal based on the side indicator if ($Diff.SideIndicator -eq '=>') { &$WritePink "Certificate Added to CurrentUser at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')" $PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,192,203))" $Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject } elseif ($Diff.SideIndicator -eq '<=') { &$WriteMintGreen "Certificate Removed from CurrentUser at $(Get-Date -Format 'MM/dd/yyyy HH:mm:ss K')" $PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(152,255,152))" $Diff.InputObject | Format-List -Property PSPath, EnhancedKeyUsageList, DnsNameList, SendAsTrustedIssuer, FriendlyName, HasPrivateKey, NotAfter, NotBefore, SerialNumber, Thumbprint, Issuer, Subject } } $InitialUser = $CurrentUser } # Wait for 3 seconds before repeating the loop Start-Sleep -Seconds 3 } |