From 02ee8195abc7a7326f9fb6abe6d97e1d4346515e Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Mon, 8 Feb 2021 10:01:59 -0500 Subject: [PATCH] [New Rule] Creation or Modification of Root Certificate (#927) * Create defense_evasion_create_mod_root_certificate.toml * update description * Update defense_evasion_create_mod_root_certificate.toml * spacing * Update rules/windows/defense_evasion_create_mod_root_certificate.toml Co-authored-by: Justin Ibarra * removing process names that could lead to fn Co-authored-by: Justin Ibarra --- ...e_evasion_create_mod_root_certificate.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/windows/defense_evasion_create_mod_root_certificate.toml diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml new file mode 100644 index 000000000..ec43ec64a --- /dev/null +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2021/02/01" +maturity = "production" +updated_date = "2021/02/01" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root +certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity +(e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic. +""" +false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License" +name = "Creation or Modification of Root Certificate" +references = [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate", +] +risk_score = 21 +rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +type = "eql" + +query = ''' +registry where event.type in ("creation", "change") and + registry.path : + ( + "HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.004" +name = "Install Root Certificate" +reference = "https://attack.mitre.org/techniques/T1553/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"