Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detects installation of suspicious packages using system installation utilities

Show when private keys are being exported from the device, or when new certificates are installed

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s