Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Sigma rule (View on GitHub)
1title: Install Root Certificate
2id: 78a80655-a51e-4669-bc6b-e9d206a462ee
3status: test
4description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
7author: Ömer Günal, oscd.community
8date: 2020-10-05
9modified: 2022-07-07
10tags:
11 - attack.defense-evasion
12 - attack.t1553.004
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '/update-ca-certificates'
20 - '/update-ca-trust'
21 condition: selection
22falsepositives:
23 - Legitimate administration activities
24level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Crypto Commands
- New Root Certificate Installed Via CertMgr.EXE
- New Root Certificate Installed Via Certutil.EXE
- Root Certificate Installed - PowerShell
- Root Certificate Installed From Susp Locations