Adversaries may inject malicious certificates into the trusted certificate store to bypass secure communication checks and establish covert command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or exfiltration attempts that evade standard detection mechanisms.
YARA Rule
rule certificate {
meta:
author = "x0r"
description = "Inject certificate in store"
version = "0.1"
strings:
$f1 = "Crypt32.dll" nocase
$r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
$c1 = "CertOpenSystemStore"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled certificate renewal via Let’s Encrypt
Description: A system administrator uses certbot to automatically renew SSL certificates, which may temporarily store intermediate certificates in the local certificate store.
Filter/Exclusion: Exclude events where the certificate subject is letsencrypt.org or where the process name is certbot.
Scenario: Admin task to import trusted root certificates
Description: An administrator manually imports a trusted root certificate (e.g., from DigiCert or GlobalSign) into the system’s trusted store using certutil or the Microsoft Management Console (MMC).
Filter/Exclusion: Exclude events where the certificate issuer is a known trusted CA or where the user is a domain admin with elevated privileges.
Scenario: Automated backup and restore of certificate stores
Description: A backup tool (e.g., vssadmin or third-party backup software) restores a certificate store from a previous backup, which may include certificates that appear as “injected.”
Filter/Exclusion: Exclude events where the source is a known backup system or where the certificate was present in the store prior to the backup.
Scenario: System update that includes certificate updates
Description: A Windows Update or patching tool (e.g., Windows Update or WSUS) installs new root certificates, which may be flagged as “injected” during the update process.
Filter/Exclusion: Exclude events where the certificate is part of a known OS update or where the event source is Windows Update.
Scenario: Internal CA certificate deployment
Description: An internal CA (e.g., using CertEnroll or makecert) deploys a new root certificate to the enterprise certificate store, which may be misinterpreted as an “injected” certificate.
Filter/Exclusion: Exclude events where