Skip to content
Threat Feed
low advisory

Windows Root Certificate Modification for Defense Evasion

An attacker modifies trusted root certificates in Windows to masquerade malicious files as valid or decrypt SSL traffic, evading defenses and potentially enabling adversary-in-the-middle attacks.

Attackers may attempt to install malicious root certificates to subvert trust controls within a Windows environment. This technique allows them to masquerade malicious files as valid, signed components from any entity, including trusted vendors like Microsoft. The modification of root certificates can also enable decryption of SSL traffic, facilitating adversary-in-the-middle attacks and data collection. The behavior is detected by monitoring registry modifications related to root certificate stores. This activity matters because it allows an attacker to bypass security measures that rely on certificate validation, potentially leading to the execution of malware or the compromise of sensitive data. The documented detection logic focuses on changes to specific registry paths where root certificates are stored and excludes expected benign processes to reduce false positives.

Attack Chain

  1. An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker executes a script or tool with administrative privileges.
  3. The script or tool modifies the Windows Registry to add or modify a root certificate. Specifically, the Blob value within registry paths like HKLM\Software\Microsoft\SystemCertificates\Root\Certificates\* is altered.
  4. Windows validates the certificate store and trusts the newly added or modified certificate.
  5. The attacker deploys malware or tools signed with a certificate chained to the malicious root CA.
  6. Windows trusts the attacker's signed malware, allowing it to execute without triggering security warnings or alerts related to untrusted signatures.
  7. The attacker intercepts SSL traffic using the installed root certificate to decrypt and collect sensitive data.
  8. The attacker achieves their final objective, such as data exfiltration, lateral movement, or persistence.

Impact

A successful attack involving the modification of root certificates can lead to significant consequences. Attackers can bypass security measures that rely on trusted certificates, allowing them to execute malware undetected. They can also decrypt SSL traffic, compromising sensitive data transmitted over secure connections. While the rule severity is low, the potential impact is significant, including enabling further malicious activities such as data theft or system compromise, depending on the attacker's objectives after establishing trust.

Recommendation

  • Enable registry event logging (e.g., Sysmon) to capture registry modifications, specifically writes to the HKLM\Software\Microsoft\SystemCertificates paths, as outlined in the rule query.
  • Deploy the Sigma rule "Creation or Modification of Root Certificate" to your SIEM and tune the exclusions for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the parent processes and associated activities.
  • Regularly audit installed root certificates to identify any unauthorized or suspicious entries.
  • Implement strong access controls to prevent unauthorized modifications to the Windows Registry, especially the certificate stores.

Detection coverage 2

Suspicious Root Certificate Modification via Registry

medium

Detects suspicious modification of root certificates in the Windows Registry, excluding common legitimate processes.

sigma tactics: defense_evasion techniques: T1553.004 sources: registry_set, windows

Root Certificate Added by Uncommon Process

info

Detects the addition of root certificates by processes not commonly associated with certificate management.

sigma tactics: defense_evasion techniques: T1553.004 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →