New Root Certificate Installed Via CertMgr.EXE

calendar Mar 5, 2023 · attack.defense_evasion attack.t1553.004  ·
Share on: linkedin copy

Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Sigma rule (View on GitHub)

 1title: New Root Certificate Installed Via CertMgr.EXE
 2id: ff992eac-6449-4c60-8c1d-91c9722a1d48
 3related:
 4    - id: 42821614-9264-4761-acfc-5772c3286f76
 5      type: derived
 6    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
 7      type: obsoletes
 8status: test
 9description: |
10    Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
11    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.    
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
14    - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
15author: oscd.community, @redcanary, Zach Stanford @svch0st
16date: 2023/03/05
17tags:
18    - attack.defense_evasion
19    - attack.t1553.004
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
25    selection_img:
26        - Image|endswith: '\CertMgr.exe'
27        - OriginalFileName: 'CERTMGT.EXE'
28    selection_cli:
29        CommandLine|contains|all:
30            - '/add'
31            - 'root'
32    condition: all of selection_*
33falsepositives:
34    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
35level: medium

References

Related rules

to-top