Techniques
Sample rules
Creation or Modification of Root Certificate
- source: elastic
- technicques:
- T1553
Description
Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.
Detection logic
registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and
registry.path :
(
"HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
) and
not process.executable : (
"?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoHardwareScanAddin\\*\\LdeApi.Server.exe",
"?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\64\\certmgr.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MpDefenderCoreService.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\ProgramData\\Quest\\KACE\\modules\\clientidentifier\\clientidentifier.exe",
"?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate1.dir\\SophosUpdate.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Program Files\\*.exe",
"?:\\Windows\\CCM\\CcmExec.exe",
"?:\\Windows\\ccmsetup\\cache\\ccmsetup.exe",
"?:\\Windows\\Cluster\\clussvc.exe",
"?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
"?:\\Windows\\Lenovo\\ImController\\PluginHost86\\Lenovo.Modern.ImController.PluginHost.Device.exe",
"?:\\Windows\\Lenovo\\ImController\\Service\\Lenovo.Modern.ImController.exe",
"?:\\Windows\\Sysmon.exe",
"?:\\Windows\\Sysmon64.exe",
"?:\\Windows\\System32\\*.exe",
"?:\\Windows\\SysWOW64\\*.exe",
"?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\WinSxS\\*.exe"
)
Attempt to Install Root Certificate
- source: elastic
- technicques:
- T1553
Description
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.
Detection logic
event.category:process and host.os.type:macos and event.type:(start or process_started) and
process.name:security and process.args:"add-trusted-cert" and
not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp"
)