New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
# Example: certutil -addstore -f -user ROOT CertificateFileName.der
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli_add:
CommandLine|contains|windash: '-addstore'
selection_cli_store:
CommandLine|contains: 'root'
condition: all of selection_*Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
Tactics
Sub-techniques
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
This rule was derived from the related rule - both detect similar activity with different scope.
46591fae-7a4c-46ea-aec3-dff5e6d785dc