Attempt to Install Root Certificate
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/13"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command
11and control servers. Root certificates are used in public key cryptography to identify a root certificate authority
12(CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of
13trust that have been signed by the root certificate.
14"""
15false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Attempt to Install Root Certificate"
21references = ["https://ss64.com/osx/security-cert.html"]
22risk_score = 47
23rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67"
24setup = """## Setup
25
26This rule requires data coming in from Elastic Defend.
27
28### Elastic Defend Integration Setup
29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
30
31#### Prerequisite Requirements:
32- Fleet is required for Elastic Defend.
33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
34
35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
36- Go to the Kibana home page and click "Add integrations".
37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
38- Click "Add Elastic Defend".
39- Configure the integration name and optionally add a description.
40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
45- Click "Save and Continue".
46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
48"""
49severity = "medium"
50tags = [
51 "Domain: Endpoint",
52 "OS: macOS",
53 "Use Case: Threat Detection",
54 "Tactic: Defense Evasion",
55 "Data Source: Elastic Defend",
56 "Resources: Investigation Guide",
57]
58timestamp_override = "event.ingested"
59type = "query"
60
61query = '''
62event.category:process and host.os.type:macos and event.type:(start or process_started) and
63 process.name:security and process.args:"add-trusted-cert" and
64 not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp"
65)
66'''
67note = """## Triage and analysis
68
69> **Disclaimer**:
70> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
71
72### Investigating Attempt to Install Root Certificate
73
74Root certificates are pivotal in establishing trust within public key infrastructures, enabling secure communications by verifying the authenticity of digital certificates. Adversaries exploit this by installing unauthorized root certificates on compromised macOS systems, thereby bypassing security warnings and facilitating covert command and control communications. The detection rule identifies such activities by monitoring specific process executions related to certificate management, excluding known legitimate applications, thus highlighting potential malicious attempts to subvert trust controls.
75
76### Possible investigation steps
77
78- Review the process execution details to confirm the presence of the "security" process with the "add-trusted-cert" argument, as this indicates an attempt to add a root certificate.
79- Check the parent process of the suspicious activity to ensure it is not one of the known legitimate applications, such as Bitdefender, as specified in the exclusion list.
80- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
81- Examine recent system logs and network activity for any signs of unauthorized access or communication with known malicious command and control servers.
82- Assess the system for any other indicators of compromise or unusual behavior that may suggest further malicious activity beyond the root certificate installation attempt.
83
84### False positive analysis
85
86- Security software installations or updates may trigger the rule as they often involve legitimate root certificate installations. Users can handle this by adding exceptions for known security software paths, such as Bitdefender, to prevent unnecessary alerts.
87- System administrators performing routine maintenance or updates might install root certificates as part of their tasks. To mitigate this, create exceptions for processes executed by trusted admin accounts or during scheduled maintenance windows.
88- Some enterprise applications may require the installation of root certificates for internal communications. Identify these applications and exclude their processes from the rule to avoid false positives.
89- Development environments on macOS systems might involve testing with self-signed certificates, which could trigger the rule. Developers can be instructed to use designated test environments or have their processes excluded during development phases.
90
91### Response and remediation
92
93- Immediately isolate the affected macOS system from the network to prevent further unauthorized communications and potential data exfiltration.
94- Revoke any unauthorized root certificates installed on the system by accessing the Keychain Access application and removing the suspicious certificates from the System Roots keychain.
95- Conduct a thorough review of system logs and process execution history to identify any additional unauthorized changes or suspicious activities that may have occurred alongside the root certificate installation.
96- Restore the system to a known good state using backups or system snapshots taken prior to the compromise, ensuring that any malicious changes are reverted.
97- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems in the network may be affected.
98- Implement enhanced monitoring and alerting for similar activities by refining detection capabilities to include additional indicators of compromise (IOCs) related to unauthorized certificate installations.
99- Review and update security policies and configurations to prevent unauthorized certificate installations, such as enforcing stricter access controls and requiring administrative approval for certificate management actions."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1553"
106name = "Subvert Trust Controls"
107reference = "https://attack.mitre.org/techniques/T1553/"
108[[rule.threat.technique.subtechnique]]
109id = "T1553.004"
110name = "Install Root Certificate"
111reference = "https://attack.mitre.org/techniques/T1553/004/"
112
113
114
115[rule.threat.tactic]
116id = "TA0005"
117name = "Defense Evasion"
118reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Attempt to Install Root Certificate
Root certificates are pivotal in establishing trust within public key infrastructures, enabling secure communications by verifying the authenticity of digital certificates. Adversaries exploit this by installing unauthorized root certificates on compromised macOS systems, thereby bypassing security warnings and facilitating covert command and control communications. The detection rule identifies such activities by monitoring specific process executions related to certificate management, excluding known legitimate applications, thus highlighting potential malicious attempts to subvert trust controls.
Possible investigation steps
- Review the process execution details to confirm the presence of the "security" process with the "add-trusted-cert" argument, as this indicates an attempt to add a root certificate.
- Check the parent process of the suspicious activity to ensure it is not one of the known legitimate applications, such as Bitdefender, as specified in the exclusion list.
- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
- Examine recent system logs and network activity for any signs of unauthorized access or communication with known malicious command and control servers.
- Assess the system for any other indicators of compromise or unusual behavior that may suggest further malicious activity beyond the root certificate installation attempt.
False positive analysis
- Security software installations or updates may trigger the rule as they often involve legitimate root certificate installations. Users can handle this by adding exceptions for known security software paths, such as Bitdefender, to prevent unnecessary alerts.
- System administrators performing routine maintenance or updates might install root certificates as part of their tasks. To mitigate this, create exceptions for processes executed by trusted admin accounts or during scheduled maintenance windows.
- Some enterprise applications may require the installation of root certificates for internal communications. Identify these applications and exclude their processes from the rule to avoid false positives.
- Development environments on macOS systems might involve testing with self-signed certificates, which could trigger the rule. Developers can be instructed to use designated test environments or have their processes excluded during development phases.
Response and remediation
- Immediately isolate the affected macOS system from the network to prevent further unauthorized communications and potential data exfiltration.
- Revoke any unauthorized root certificates installed on the system by accessing the Keychain Access application and removing the suspicious certificates from the System Roots keychain.
- Conduct a thorough review of system logs and process execution history to identify any additional unauthorized changes or suspicious activities that may have occurred alongside the root certificate installation.
- Restore the system to a known good state using backups or system snapshots taken prior to the compromise, ensuring that any malicious changes are reverted.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems in the network may be affected.
- Implement enhanced monitoring and alerting for similar activities by refining detection capabilities to include additional indicators of compromise (IOCs) related to unauthorized certificate installations.
- Review and update security policies and configurations to prevent unauthorized certificate installations, such as enforcing stricter access controls and requiring administrative approval for certificate management actions.
References
Related rules
- Attempt to Disable Gatekeeper
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Creation of Hidden Launch Agent or Daemon
- Elastic Agent Service Terminated
- Execution via Electron Child Process Node.js Module