LoFP / false positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. filter by user, process, or thumbprint.

Techniques

• T1553
• T1553.004

Sample rules

Windows Registry Certificate Added

• source: splunk
• technicques:
  • T1553.004
  • T1553

Description

The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found here. In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with “<THUMBPRINT_VALUE>\Blob” as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning.

Detection logic

| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_registry_certificate_added_filter`