Technique on mitre.org

T1553.004: Install Root Certificate

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.

In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Windows: — Monitoring of events related to execution of certutil.exe (with parameter -addstore) and certmgr.exe (with parameter -add). — Monitoring of events related to execution of the PowerShell cmdlet Import-Certificate. — Monitoring of events related to creation or modification of registry keys at the following locations: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates, [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates.

CentOS/RHEL: — Monitoring of events related to creation of .crt files at /etc/pki/ca-trust/source/anchors/. Such events are commonly followed by the 'update-ca-trust' command.

Linux: — Monitoring of events related to creation of .crt files at /usr/local/share/ca-certificates. Such events are commonly followed by the 'update-ca-certificates' command.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor for commands, such as `security add-trusted-cert` (macOS) or `certutil -addstore` (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through `authroot.stl`. The Sysinternals Sigcheck utility can also be used (`sigcheck[64].exe -tuv`) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitoring changes to the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under `HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</code> and` [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 3B1EFD3A66EA28B16697394703A72CA340A05BD5 7F88CD7223F3C813818C994614A89C99FA3B5247 8F43288AD272F3103B6FB1428485EA3014C0BCFE A43489159A520F0D93D032CCAF37E7FE20A8B419 BE36A4562FB2EE05DBB3D32323ADF445084ED656 CDD4EEAE6000AC7F40C3802C171E30148030C072

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for processes, such as `certmgr.exe` (macOS) or `certutil.exe` (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through `authroot.stl`. The Sysinternals Sigcheck utility can also be used (`sigcheck[64].exe -tuv`) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. Analytic 1 - Attempt to Add Certificate to Untrusted Store `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="C:\Windows\System32\certutil.exe" CommandLine="-addstore"`

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under `HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</code> and` [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 3B1EFD3A66EA28B16697394703A72CA340A05BD5 7F88CD7223F3C813818C994614A89C99FA3B5247 8F43288AD272F3103B6FB1428485EA3014C0BCFE A43489159A520F0D93D032CCAF37E7FE20A8B419 BE36A4562FB2EE05DBB3D32323ADF445084ED656 CDD4EEAE6000AC7F40C3802C171E30148030C072

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor for commands, such as `security add-trusted-cert` (macOS) or `certutil -addstore` (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through `authroot.stl`. The Sysinternals Sigcheck utility can also be used (`sigcheck[64].exe -tuv`) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.
DS0024	Windows Registry: Windows Registry Key Modification	Monitoring changes to the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under `HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</code> and` [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 3B1EFD3A66EA28B16697394703A72CA340A05BD5 7F88CD7223F3C813818C994614A89C99FA3B5247 8F43288AD272F3103B6FB1428485EA3014C0BCFE A43489159A520F0D93D032CCAF37E7FE20A8B419 BE36A4562FB2EE05DBB3D32323ADF445084ED656 CDD4EEAE6000AC7F40C3802C171E30148030C072
DS0009	Process: Process Creation	Monitor for processes, such as `certmgr.exe` (macOS) or `certutil.exe` (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through `authroot.stl`. The Sysinternals Sigcheck utility can also be used (`sigcheck[64].exe -tuv`) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. Analytic 1 - Attempt to Add Certificate to Untrusted Store `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="C:\Windows\System32\certutil.exe" CommandLine="-addstore"`
DS0024	Windows Registry: Windows Registry Key Creation	Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under `HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</code> and` [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 3B1EFD3A66EA28B16697394703A72CA340A05BD5 7F88CD7223F3C813818C994614A89C99FA3B5247 8F43288AD272F3103B6FB1428485EA3014C0BCFE A43489159A520F0D93D032CCAF37E7FE20A8B419 BE36A4562FB2EE05DBB3D32323ADF445084ED656 CDD4EEAE6000AC7F40C3802C171E30148030C072

Mitigation

ID	M1054	Name	Software Configuration	Description	HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.

ID	M1028	Name	Operating System Configuration	Description	Windows Group Policy can be used to manage root certificates and the `Flags` value of `HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots` can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store.

ID	Name	Description
M1054	Software Configuration	HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.
M1028	Operating System Configuration	Windows Group Policy can be used to manage root certificates and the `Flags` value of `HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots` can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store.