Summary: This post shares some key ways to leverage the Cert Graveyard database. I also share statistics on Cert Graveyard usage and share options to support my work.
If you aren’t familiar with Cert Graveyard, I’ve described it in depth elsewhere: it is a public database for documenting abused code-signing certificates. We’ve reported and documented 2,400 unique certificates at the time of this writing.
But what ways can the data be used?
Recommended ways to use Cert Graveyard
- MagicSword: MagicSword is a console for managing Windows Defender Access Control (WDAC) across an enterprise and it has built in functionality to block abused drivers, remote management tools, and files signed with abused code-signing certificates from the Cert Graveyard.
- MagicSword is the only tool I’m aware of which leverages the database for preventing execution of the signed malware. If you use my affiliate link it also supports Cert Graveyard.
- RSS and Atom feeds: Cert Graveyard RSS and Atom feeds are freely available.
- These feeds contain the core details regarding the abused certificates. The real value is from the certificate serial number. The Cert Graveyard generally only contains one example hash per malware of any code-signing certificate used to sign malware. So the serial number helps you identify any malware signed with that certificate.
- Note: I’ve formatted the serial to be separated with spaces allowing Threat Intel Platforms and other services to distinguish the serial from other formats. Please let me know if any other formatting changes are desirable.
- Hunting on certificates: leveraging the database to hunt across systems.
- KQL Queries by SecurityAura: this repository contains KQL queries that can be used to hunt for files signed with certificates in the Cert Graveyard. These queries can be adapted for search systems for other EDR.
- Certgraveyard_YARA by TJNel: this repository generates YARA rules for all certificates in the Cert Graveyard and includes our metadata. It has a limitation of only detecting on PE files.
- Using the API: When you log into Cert Graveyard, you receive an API key which can be used without limitation.
- Basic instruction on using the API is available here: https://certgraveyard.org/api_docs . The core lookup function is for finding entries in the database by their attributes. It is recommended to perform look-ups by the serial number as actors have been able to acquire certificates for organizations who have existing safe certificates (for example, Lenovo, and Kingston Technologies).
- Downloading the database. The whole database can be downloaded from an unauthenticated endpoint “https://certgraveyard.org/api/download_csv“.
- The database is only updated a few times a day, but provides you with all the data allowing you to determine how to leverage it best.
Is Cert Graveyard something you or your team are using? If so, I’d love to hear more and learn if there are ways that it can be improved to meet your team’s needs. If you have tools that can be shared with other teams, I’d love to know about it.
Usage statistics from June 2026
I recently received an email from my hosting provider telling me I was nearing my 500GB/mo bandwidth allowance. This surprised me: was Cert Graveyard really providing users 500 GB of data?
In May 2025, Cert Graveyard experienced a DDoS attack: 85.51 million requests were sent to Cert Graveyard: 82.9 million of the requests were mitigated, but Cert Graveyard still received 2.45 million requests resulting in 400 GB of data transfer over a few minutes. Was something similar happening?
No, it wasn’t another DDoS. Instead, my service was serving an average of 600MB to users every hour.
Looking at the data from another vantage point: we see that in 14 days the Cert Graveyard receives 174k requests to download the database. The database download is just 1.5MB in size, but that size adds up.
In addition to the database downloads, Cert Graveyard receives 70k certificate look-ups to the database per day, totaling 80k+ with the downloads. Over 14 days? 1.3 million requests.
Approximately 40k/day look-ups come from MalwareBazaar: this lookup allows users to see from MalwareBazaar’s sample page that the code-signing cert is in the Cert Graveyard blocklist.
Building for the future
During the writing of this blog, I’ve optimized the download of the database—substantially reducing potential costs. Adding or optimizing the use of resources will be essential to ensure the resource is available for all in the future.
If your organization finds value in the Cert Graveyard or has come to rely on it, please consider contributing a one-time or recurring donation. These donations can be made directly through Stripe, Ko-fi, or GitHub sponsors here: https://certgraveyard.org/sponsor
Donations are received by an Rogue Authority LLC: a business established to sustain Cert Graveyard and similar projects into the future. Contributing will help cover Cert Graveyard’s hosting and infrastructure costs, but will also help us dedicate time and resources to building out and maintaining other projects.
Squiblydoo’s other projects
- Debloat is a malware analysis tool to remove junk data added to binaries to artificially increase their size. It is trusted by CERT Polska, Canada’s CCCS, IntelOwl, and built into their malware analysis pipelines.
- tkinterdnd2 – though not originally a Squiblydoo project, I am the active maintainer of this critical library which is downloaded 8k or more times per day. The library is a wrapper which adds easy drag-and-drop functionality to tkinter GUI projects. Though fairly simple, this projects helps many programmers add this core functionality to their applications.
- PKILab – PKI Lab functions as a sub tool of the Cert Graveyard. It helps explain the structure of certificates.
If you’ve benefited from these projects and would love to support me in continuing their support and development, please contribute through one of the sponsor options.