{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/subvert-trust-controls/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","subvert-trust-controls","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to install malicious root certificates to subvert trust controls within a Windows environment. This technique allows them to masquerade malicious files as valid, signed components from any entity, including trusted vendors like Microsoft. The modification of root certificates can also enable decryption of SSL traffic, facilitating adversary-in-the-middle attacks and data collection. The behavior is detected by monitoring registry modifications related to root certificate stores. This activity matters because it allows an attacker to bypass security measures that rely on certificate validation, potentially leading to the execution of malware or the compromise of sensitive data. The documented detection logic focuses on changes to specific registry paths where root certificates are stored and excludes expected benign processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or tool with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe script or tool modifies the Windows Registry to add or modify a root certificate. Specifically, the \u003ccode\u003eBlob\u003c/code\u003e value within registry paths like \u003ccode\u003eHKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\u003c/code\u003e is altered.\u003c/li\u003e\n\u003cli\u003eWindows validates the certificate store and trusts the newly added or modified certificate.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys malware or tools signed with a certificate chained to the malicious root CA.\u003c/li\u003e\n\u003cli\u003eWindows trusts the attacker's signed malware, allowing it to execute without triggering security warnings or alerts related to untrusted signatures.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts SSL traffic using the installed root certificate to decrypt and collect sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the modification of root certificates can lead to significant consequences. Attackers can bypass security measures that rely on trusted certificates, allowing them to execute malware undetected. They can also decrypt SSL traffic, compromising sensitive data transmitted over secure connections. While the rule severity is low, the potential impact is significant, including enabling further malicious activities such as data theft or system compromise, depending on the attacker's objectives after establishing trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable registry event logging (e.g., Sysmon) to capture registry modifications, specifically writes to the \u003ccode\u003eHKLM\\Software\\Microsoft\\SystemCertificates\u003c/code\u003e paths, as outlined in the rule query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Creation or Modification of Root Certificate\u0026quot; to your SIEM and tune the exclusions for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the parent processes and associated activities.\u003c/li\u003e\n\u003cli\u003eRegularly audit installed root certificates to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls to prevent unauthorized modifications to the Windows Registry, especially the certificate stores.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-root-cert-mod/","summary":"An attacker modifies trusted root certificates in Windows to masquerade malicious files as valid or decrypt SSL traffic, evading defenses and potentially enabling adversary-in-the-middle attacks.","title":"Windows Root Certificate Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-root-cert-mod/"}],"language":"en","title":"CraftedSignal Threat Feed - Subvert-Trust-Controls","version":"https://jsonfeed.org/version/1.1"}