This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
We are working on some security analytics based on Sysmon logs. Sysmon Event ID 1 (process creation) include a field named "Company" which seems to be the signer of the executable being used by the process.
We would need to know how trustable the value in this field is: is it actually based on the code signing certificate used for the executable? If so, is the certificate validated?
Thanks in advance to everyone, have a nice day!
Since I received no answer I tested this myself. Company field is taken from the executable metadata, as Version and other similar fields are. Therefore, it is not even minimally reliable, since anyone can manipulate it with basic resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Sorry to hear you are disappointed. I think I might have been to person to ask for this feature and was thrilled to have it mainly for asset management purposes. I would assume that the hash of the image would change if the meta were tampered with. I know a significant number of developers fail to populate this meta. I have a feeling fewer developers bother to sign code.
Normally I receive notifications of new q&a entries and would have responded to this particular topic based on my experience with it. I didn’t receive a notification for either your question or answer which is anomalous.