security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Creation or Modification of Root Certificate (#927)

Browse Source 
* Create defense_evasion_create_mod_root_certificate.toml

* update description

* Update defense_evasion_create_mod_root_certificate.toml

* spacing

* Update rules/windows/defense_evasion_create_mod_root_certificate.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* removing process names that could lead to fn

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2021-02-08 10:01:59 -05:00
committed by GitHub
parent 0b568e5740
commit 02ee8195ab
1 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_create_mod_root_certificate.toml
+57
View File
@@ -0,0 +1,57 @@
[metadata]
creation_date = "2021/02/01"
maturity = "production"
updated_date = "2021/02/01"
[rule]
author = ["Elastic"]
description = """
Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root
certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity
(e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.
"""
false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License"
name = "Creation or Modification of Root Certificate"
references = [
"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate",
]
risk_score = 21
rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "eql"
query = '''
registry where event.type in ("creation", "change") and
registry.path :
(
"HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1553"
name = "Subvert Trust Controls"
reference = "https://attack.mitre.org/techniques/T1553/"
[[rule.threat.technique.subtechnique]]
id = "T1553.004"
name = "Install Root Certificate"
reference = "https://attack.mitre.org/techniques/T1553/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"