Install Root Certificate

Hunt Hypothesis

Attackers may install root certificates to bypass security warnings and establish trusted connections to command and control servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence and exfiltration channels.

Detection Rule

Sigma (Original)

title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
    - attack.defense-evasion
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/update-ca-certificates'
            - '/update-ca-trust'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "/update-ca-certificates" or TargetProcessName endswith "/update-ca-trust"

False Positive Guidance

• Scenario: System administrator installs a trusted root certificate for internal CA during routine PKI setup.
  Filter/Exclusion: process.name != "certutil" OR process.name != "certmgr.msc"

• Scenario: A scheduled job runs to update system certificates using Microsoft’s certutil tool.
  Filter/Exclusion: process.name == "certutil" AND event_id == 1212 (specific to certificate update events)

• Scenario: An IT team deploys a new root certificate via Group Policy to all endpoints for secure internal communication.
  Filter/Exclusion: process.name == "gpupdate" OR user.name == "Domain Admins"

• Scenario: A developer manually imports a self-signed certificate for local testing purposes.
  Filter/Exclusion: process.name == "mmc.exe" AND event_id == 1212 (specific to certificate import via MMC)

• Scenario: A certificate authority (CA) tool like OpenSSL is used to install a root certificate on a test server.
  Filter/Exclusion: process.name == "openssl" OR process.name == "certutil" AND source_ip == "10.0.0.0/8" (internal IP range)

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1553.004