Attempt to Install Root Certificate
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/13"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command
13and control servers. Root certificates are used in public key cryptography to identify a root certificate authority
14(CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of
15trust that have been signed by the root certificate.
16"""
17false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
18from = "now-9m"
19index = ["auditbeat-*", "logs-endpoint.events.*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Attempt to Install Root Certificate"
23references = ["https://ss64.com/osx/security-cert.html"]
24risk_score = 47
25rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process and host.os.type:macos and event.type:(start or process_started) and
33 process.name:security and process.args:"add-trusted-cert" and
34 not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp"
35)
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1553"
43name = "Subvert Trust Controls"
44reference = "https://attack.mitre.org/techniques/T1553/"
45[[rule.threat.technique.subtechnique]]
46id = "T1553.004"
47name = "Install Root Certificate"
48reference = "https://attack.mitre.org/techniques/T1553/004/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
add-trusted-cert [-d] [-r resultType] [-p policy] [-a appPath] [-s policyString] [-e allowedError] [-u keyUsage] [-k keychain] [-i settingsFileIn] [-o settingsFileOut] [-D] certFile Add certificate...
Read More
Related rules
- Attempt to Disable Gatekeeper
- Attempt to Remove File Quarantine Attribute
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Creation of Hidden Launch Agent or Daemon
- Elastic Agent Service Terminated