New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Sigma rule (View on GitHub)
1title: New Root Certificate Installed Via Certutil.EXE
2id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
3related:
4 - id: 42821614-9264-4761-acfc-5772c3286f76
5 type: derived
6 - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
7 type: obsolete
8status: test
9description: |
10 Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
11 Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
12references:
13 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
14author: oscd.community, @redcanary, Zach Stanford @svch0st
15date: 2023-03-05
16modified: 2024-03-05
17tags:
18 - attack.defense-evasion
19 - attack.t1553.004
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 # Example: certutil -addstore -f -user ROOT CertificateFileName.der
25 selection_img:
26 - Image|endswith: '\certutil.exe'
27 - OriginalFileName: 'CertUtil.exe'
28 selection_cli_add:
29 CommandLine|contains|windash: '-addstore'
30 selection_cli_store:
31 CommandLine|contains: 'root'
32 condition: all of selection_*
33falsepositives:
34 - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
35level: medium
References
Related rules
- Cisco Crypto Commands
- Install Root Certificate
- New Root Certificate Installed Via CertMgr.EXE
- Root Certificate Installed - PowerShell
- Root Certificate Installed From Susp Locations