LoFP LoFP / t1553

t1553

TitleTags
certain applications may install root certificates for the purpose of inspecting ssl traffic.
false positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. filter by user, process, or thumbprint.
files that are interacted with that have these extensions legitimately
help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp
legitimate activities
legitimate administration activities
legitimate administrative script
legitimate powershell scripts
legitimate sip being registered by the os or different software.
legitimate usage of sdelete
not commonly run by administrators. also whitelist your known good certificates
there may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. in such cases, this will typically be done on a large number of systems.
unlikely