LoFP / administrators or third party utilities may use leverage certutil in order to add a root certificate to the store. filter as needed or restrict to critical assets on the perimeter.

Techniques

• T1587.003

Sample rules

Windows Certutil Root Certificate Addition

• source: splunk
• technicques:
  • T1587.003

Description

The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the “-addstore” flag. In this case, the certificate is loaded from a temporary file path (e.g., %TEMP%) or other uncommon locations (e.g. C:\Users\Public\), which is highly suspicious and uncommon in legitimate administrative activity. This behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls. The use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks. This should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications. You should monitor when new certificates are added to the root store because this store is what your system uses to decide which websites, apps, and software can be trusted. If an attacker manages to add their own certificate there, they can silently intercept encrypted traffic, impersonate trusted websites, or make malicious programs look safe. This means they could steal sensitive data, bypass security tools, and keep access to your system even after other malware is removed.

Detection logic

| tstats `security_content_summariesonly` 
  count min(_time) as firstTime 
  max(_time) as lastTime
  values(Processes.process) as process 
from datamodel=Endpoint.Processes where 
`process_certutil` 
Processes.process=*-addstore* 
Processes.process=*root*
Processes.process IN (
      "*:\\PerfLogs\\*",
      "*:\\Windows\\Temp\\*",
      "*\\AppData\\Local\\Temp\\*",
      "*\\ProgramData\\*",
      "*\\Users\\Public\\*",
      "*%AppData%*",
      "*%Public%*",
      "*%Temp%*",
      "*%tmp%*"
      )
by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec 
   Processes.parent_process_guid Processes.parent_process_id 
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid 
   Processes.process_hash Processes.process_id Processes.process_integrity_level 
   Processes.process_name Processes.process_path Processes.user 
   Processes.user_id Processes.vendor_product 

| `drop_dm_object_name("Processes")`

| `security_content_ctime(firstTime)` 

|`security_content_ctime(lastTime)` 

| `windows_certutil_root_certificate_addition_filter`