LoFP / there may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. in such cases, this will typically be done on a large number of systems.

Techniques

• T1553
• T1553.004

Sample rules

Attempt To Add Certificate To Untrusted Store

• source: splunk
• technicques:
  • T1553.004
  • T1553

Description

The following analytic detects attempts to add a certificate to the untrusted certificate store using the ‘certutil -addstore’ command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk Processes data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `attempt_to_add_certificate_to_untrusted_store_filter`