New Root or CA or AuthRoot Certificate to Store

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Sigma rule (View on GitHub)

 1title: New Root or CA or AuthRoot Certificate to Store
 2id: d223b46b-5621-4037-88fe-fda32eead684
 3status: test
 4description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
 7    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
 8author: frack113
 9date: 2022/04/04
10modified: 2023/08/17
11tags:
12    - attack.impact
13    - attack.t1490
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|contains:
20            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
21            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
22            - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
23            - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
24            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
25            - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
26            - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
27            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
28            - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
29        TargetObject|endswith: '\Blob'
30        Details: 'Binary Data'
31    condition: selection
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top