security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e897a6760429ea46da15ebbca1609b62fd37fee9
sigma-rules/rules/windows/defense_evasion_create_mod_root_certificate.toml
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

60 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/02/01"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root
certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity
(e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.
"""
false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Creation or Modification of Root Certificate"
references = [
"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate",
]
risk_score = 21
rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where event.type in ("creation", "change") and
registry.path :
(
"HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1553"
name = "Subvert Trust Controls"
reference = "https://attack.mitre.org/techniques/T1553/"
[[rule.threat.technique.subtechnique]]
id = "T1553.004"
name = "Install Root Certificate"
reference = "https://attack.mitre.org/techniques/T1553/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink