Create win_root_certificate_installed.yml

2020-10-09 12:29:53 +11:00
parent d3ee1aba66
commit a68d50a5d9
1 changed files with 38 additions and 0 deletions
@@ -0,0 +1,38 @@
+action: global
+title: Root Certificate Installed
+id: 42821614-9264-4761-acfc-5772c3286f76
+status: experimental
+description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/10
+tags:
+    - attack.defense_evasion
+    - attack.t1553.004
+level: medium
+falsepositives:
+    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+detection:
+    condition: 1 of them
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image|endswith: '\certutil.exe'     # Example: certutil -addstore -f -user ROOT CertificateFileName.der
+        CommandLine|contains: '-addstore * root'
+    selection2:
+        Image|endswith: '\CertMgr.exe'      # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
+        CommandLine|contains: '/add * root'
+---
+logsource:
+    product: windows
+    service: powershell
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'Import-Certificate * Cert:\LocalMachine\Root'
+          - 'Move-Item * Cert:\LocalMachine\Root'