{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/root-certificate/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","root certificate","mitm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers can install malicious root certificates to subvert trust controls and bypass security measures. Once a malicious root certificate is installed, attackers can sign malicious files, making them appear as legitimate software from trusted vendors like Microsoft. This allows the attacker to execute code undetected and maintain persistence on the system. Furthermore, a rogue root certificate can be used in adversary-in-the-middle attacks to decrypt SSL traffic, enabling the collection of sensitive data. This activity is typically achieved through registry modifications. Monitoring for these modifications can help security teams identify potential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to administrator or SYSTEM level, required to modify the trusted root certificate store.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like certutil.exe or PowerShell to import a malicious root certificate into the Windows registry.\u003c/li\u003e\n\u003cli\u003eThe registry keys \u003ccode\u003eHKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\u003c/code\u003e or \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\u003c/code\u003e are modified to add the new certificate.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly installed root certificate to sign malicious executables or scripts.\u003c/li\u003e\n\u003cli\u003eThe signed malicious files are executed, bypassing signature-based detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts and decrypts SSL traffic, collecting sensitive data like credentials or financial information.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the trusted certificate to repeatedly sign and execute malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful installation of a malicious root certificate allows attackers to bypass security controls, leading to the execution of arbitrary code and potential data theft. This can result in significant data breaches, financial losses, and reputational damage. Attackers can use this technique to maintain a long-term presence on compromised systems, making detection and remediation more challenging. While no specific victim counts are available, the technique is broadly applicable across many sectors and can affect any organization running Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Root Certificate Modification\u0026rdquo; to your SIEM to detect registry modifications related to root certificate installation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on processes modifying the registry keys related to root certificates.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False Positives\u0026rdquo; section in the rule documentation to tune the Sigma rule for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious SSL decryption activity following the detection of a root certificate modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-root-cert-modification/","summary":"The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.","title":"Windows Root Certificate Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-root-cert-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Root Certificate","version":"https://jsonfeed.org/version/1.1"}