Techniques
Sample rules
Attempt To Add Certificate To Untrusted Store
- source: splunk
- technicques:
- T1553.004
- T1553
Description
The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the ‘certutil -addstore’ command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `attempt_to_add_certificate_to_untrusted_store_filter`