New Root Certificate Installed Via Certutil.EXE

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Sigma rule (View on GitHub)

 1title: New Root Certificate Installed Via Certutil.EXE
 2id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
 3related:
 4    - id: 42821614-9264-4761-acfc-5772c3286f76
 5      type: derived
 6    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
 7      type: obsolete
 8status: test
 9description: |
10    Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
11    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.    
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
14author: oscd.community, @redcanary, Zach Stanford @svch0st
15date: 2023-03-05
16modified: 2024-03-05
17tags:
18    - attack.defense-evasion
19    - attack.t1553.004
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    # Example: certutil -addstore -f -user ROOT CertificateFileName.der
25    selection_img:
26        - Image|endswith: '\certutil.exe'
27        - OriginalFileName: 'CertUtil.exe'
28    selection_cli_add:
29        CommandLine|contains|windash: '-addstore'
30    selection_cli_store:
31        CommandLine|contains: 'root'
32    condition: all of selection_*
33falsepositives:
34    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
35level: medium

References

Related rules

to-top