Root Certificate Installed From Susp Locations

Dec 1, 2023 · attack.defense_evasion attack.t1553.004 ·

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Sigma rule (View on GitHub)

 1title: Root Certificate Installed From Susp Locations
 2id: 5f6a601c-2ecb-498b-9c33-660362323afa
 3status: test
 4description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
 5references:
 6    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
 7    - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/09/09
10modified: 2023/01/16
11tags:
12    - attack.defense_evasion
13    - attack.t1553.004
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'Import-Certificate'
21            - ' -FilePath '
22            - 'Cert:\LocalMachine\Root'
23        CommandLine|contains:
24            - '\AppData\Local\Temp\'
25            - ':\Windows\TEMP\'
26            - '\Desktop\'
27            - '\Downloads\'
28            - '\Perflogs\'
29            - ':\Users\Public\'
30    condition: selection
31falsepositives:
32    - Unlikely
33level: high

References

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Read More
Import-Certificate (pki)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

Read More

Root Certificate Installed From Susp Locations

Sigma rule (View on GitHub)

References

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Import-Certificate (pki)

Related rules