LoFP / help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp

Techniques

• t1553
• t1553.004

Sample rules

New Root Certificate Installed Via CertMgr.EXE

• source: sigma
• technicques:
  • t1553
  • t1553.004

Description

Detects execution of “certmgr” with the “add” flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - /add
  - root
selection_img:
- Image|endswith: \CertMgr.exe
- OriginalFileName: CERTMGT.EXE

New Root Certificate Installed Via Certutil.EXE

• source: sigma
• technicques:
  • t1553
  • t1553.004

Description

Detects execution of “certutil” with the “addstore” flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detection logic

condition: all of selection_*
selection_cli_add:
  CommandLine|contains|windash: -addstore
selection_cli_store:
  CommandLine|contains: root
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe

Root Certificate Installed - PowerShell

• source: sigma
• technicques:
  • t1553
  • t1553.004

Description

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detection logic

condition: 1 of selection*
selection1:
  ScriptBlockText|contains|all:
  - Move-Item
  - Cert:\LocalMachine\Root
selection2:
  ScriptBlockText|contains|all:
  - Import-Certificate
  - Cert:\LocalMachine\Root