Root Certificate — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/root-certificate/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Windows Root Certificate Modification Detectionhttps://feed.craftedsignal.io/briefs/2024-01-root-cert-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-root-cert-modification/The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.Attackers can install malicious root certificates to subvert trust controls and bypass security measures. Once a malicious root certificate is installed, attackers can sign malicious files, making them appear as legitimate software from trusted vendors like Microsoft. This allows the attacker to execute code undetected and maintain persistence on the system. Furthermore, a rogue root certificate can be used in adversary-in-the-middle attacks to decrypt SSL traffic, enabling the collection of sensitive data. This activity is typically achieved through registry modifications. Monitoring for these modifications can help security teams identify potential compromise attempts.

Attack Chain

  1. An attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.
  2. The attacker elevates privileges to administrator or SYSTEM level, required to modify the trusted root certificate store.
  3. The attacker uses tools like certutil.exe or PowerShell to import a malicious root certificate into the Windows registry.
  4. The registry keys HKLM\Software\Microsoft\SystemCertificates\Root\Certificates or HKLM\Software\Policies\Microsoft\SystemCertificates\Root\Certificates are modified to add the new certificate.
  5. The attacker uses the newly installed root certificate to sign malicious executables or scripts.
  6. The signed malicious files are executed, bypassing signature-based detection mechanisms.
  7. The attacker intercepts and decrypts SSL traffic, collecting sensitive data like credentials or financial information.
  8. The attacker maintains persistence by using the trusted certificate to repeatedly sign and execute malicious code.

Impact

Successful installation of a malicious root certificate allows attackers to bypass security controls, leading to the execution of arbitrary code and potential data theft. This can result in significant data breaches, financial losses, and reputational damage. Attackers can use this technique to maintain a long-term presence on compromised systems, making detection and remediation more challenging. While no specific victim counts are available, the technique is broadly applicable across many sectors and can affect any organization running Windows systems.

Recommendation

  • Deploy the Sigma rule “Detect Root Certificate Modification” to your SIEM to detect registry modifications related to root certificate installation.
  • Enable Sysmon registry event logging to provide the necessary data for the Sigma rule.
  • Investigate any alerts triggered by the Sigma rule, focusing on processes modifying the registry keys related to root certificates.
  • Review the “False Positives” section in the rule documentation to tune the Sigma rule for your environment.
  • Monitor network traffic for suspicious SSL decryption activity following the detection of a root certificate modification.
]]>mediumadvisorydefense-evasionpersistenceroot certificatemitm