detection.wiki

Detection rules › Sigma

New Root or CA or AuthRoot Certificate to Store

Status
test
Severity
medium
Log source
product windows, category registry_set
Author
frack113
Source
github.com/SigmaHQ/sigma

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

MITRE ATT&CK coverage

TacticTechniques
ImpactT1490 Inhibit System Recovery

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
            - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
            - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
        TargetObject|endswith: '\Blob'
        Details: 'Binary Data'
    condition: selection
falsepositives:
    - Unknown
level: medium

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    TargetObject|contains:
        - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
        - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
        - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
        - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
        - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
        - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
        - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
        - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
        - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
    TargetObject|endswith: '\Blob'
    Details: 'Binary Data'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • Binary Data corpus 5 (splunk 3, sigma 2)
TargetObjectends_with
  • \Blob
TargetObjectmatch
  • \SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\
  • \SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\
  • \SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\
  • \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
  • \SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\
  • \SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\
  • \SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\
  • \SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\
  • \SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\