T1553.004

Install Root Certificate

Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.

Microsoft Sentinel / Defender

kusto

// T1553.004 — Install Root Certificate
// Detects certutil adding certificates to trust stores, suspicious registry writes to certificate stores,
// and process-based certificate installation on Windows endpoints.
let CertUtilAddStore = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "/addstore", "-AddStore", "/AddStore")
| extend TargetStore = extract(@"(?i)(?:-|/)addstore\s+(\S+)", 1, ProcessCommandLine)
| extend CertFile = extract(@"(?i)(?:-|/)addstore\s+\S+\s+(\S+\.(?:cer|crt|p7b|pfx|pem|der))", 1, ProcessCommandLine)
| extend IsRootStore = TargetStore has_any ("ROOT", "TrustedRoot", "AuthRoot")
| extend IsTrustedPublisher = TargetStore has_any ("TrustedPublisher", "Trusted")
| extend SuspiciousPath = CertFile has_any ("\\Temp\\", "\\AppData\\", "\\Downloads\\", "\\ProgramData\\", "\\Users\\Public\\", "C:\\Windows\\Temp")
| extend Severity = case(
    IsRootStore and SuspiciousPath, "High",
    IsRootStore, "Medium",
    IsTrustedPublisher and SuspiciousPath, "High",
    "Low")
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         TargetStore, CertFile, IsRootStore, IsTrustedPublisher, SuspiciousPath, Severity;
let RegistryCertStore = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyCreated", "RegistryValueSet")
| where RegistryKey has_any (
    "\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates",
    "\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates",
    "\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates",
    "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates",
    "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates"
  )
| where InitiatingProcessFileName !in~ ("svchost.exe", "WmiPrvSE.exe", "TrustedInstaller.exe", "MicrosoftEdgeUpdate.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
CertUtilAddStore
| union RegistryCertStore

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Enterprise software deployment (SCCM, Intune, Group Policy) pushing internal CA certificates to trusted stores — typically initiated by svchost.exe or a management agent with a known certificate path under Program Files
Developers installing self-signed certificates for local HTTPS development environments (certutil -addstore ROOT localhost.cer from a known dev machine)
SSL inspection proxies (Zscaler, Netskope, Blue Coat) requiring client-side root certificate installation as part of authorized security tooling rollout
Software installers (antivirus, VPN clients, enterprise applications) that embed certificate installation steps during setup — initiating process will be a signed installer from a known vendor path
Browser certificate management (Chrome, Edge, Firefox enterprise policies) making registry-level cert store changes as part of normal operation

Splunk

spl

| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\certutil.exe" OR Image="*\\certutil")
    (CommandLine="*-addstore*" OR CommandLine="*/addstore*")
  | eval TargetStore=replace(lower(CommandLine), ".*(?:-|/)addstore\s+(\S+).*", "\1")
  | eval IsRootStore=if(match(lower(CommandLine), "(?:-|/)addstore\s+(?:root|trustedroot|authroot)"), 1, 0)
  | eval IsTrustedPublisher=if(match(lower(CommandLine), "(?:-|/)addstore\s+(?:trustedpublisher|trusted)"), 1, 0)
  | eval SuspiciousPath=if(match(lower(CommandLine), "(?:\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)"), 1, 0)
  | eval DetectionSource="certutil_process"
  | eval SuspicionScore=IsRootStore + IsTrustedPublisher + SuspiciousPath
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRootStore, IsTrustedPublisher, SuspiciousPath, SuspicionScore, DetectionSource ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12 OR EventCode=13
    (TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
     OR TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
     OR TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\*"
     OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
     OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*")
    NOT (Image="*\\svchost.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\MicrosoftEdgeUpdate.exe" OR Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe")
  | eval IsRootStore=if(match(TargetObject, "(?i)(ROOT|AuthRoot)"), 1, 0)
  | eval IsTrustedPublisher=if(match(TargetObject, "(?i)TrustedPublisher"), 1, 0)
  | eval SuspiciousPath=0
  | eval DetectionSource="registry_cert_store"
  | eval SuspicionScore=IsRootStore + IsTrustedPublisher
  | rename TargetObject as CommandLine
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRootStore, IsTrustedPublisher, SuspiciousPath, SuspicionScore, DetectionSource ]
| where SuspicionScore > 0
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 12 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise software deployment (SCCM, Intune, Group Policy) pushing internal CA certificates to trusted stores — typically initiated by svchost.exe or a management agent with a known certificate path under Program Files
Developers installing self-signed certificates for local HTTPS development environments (certutil -addstore ROOT localhost.cer from a known dev machine)
SSL inspection proxies (Zscaler, Netskope, Blue Coat) requiring client-side root certificate installation as part of authorized security tooling rollout
Software installers (antivirus, VPN clients, enterprise applications) that embed certificate installation steps during setup — initiating process will be a signed installer from a known vendor path
Browser certificate management (Chrome, Edge, Firefox enterprise policies) making registry-level cert store changes as part of normal operation

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start"
   and process.name : "certutil.exe"
   and process.args : ("-addstore", "/addstore", "-AddStore", "/AddStore")
  ] by process.pid
| [any where true] by process.pid

union

process where event.type == "start"
  and process.name : "certutil.exe"
  and process.command_line : ("*-addstore*", "*/addstore*")
  and (
    process.command_line : ("*ROOT*", "*AuthRoot*", "*TrustedRoot*", "*TrustedPublisher*")
  )
  | eval is_root_store = if(process.command_line like~ "*root*" or process.command_line like~ "*authroot*", true, false)
  | eval suspicious_path = if(process.command_line like~ "*\\temp\\*" or process.command_line like~ "*\\appdata\\*" or process.command_line like~ "*\\downloads\\*" or process.command_line like~ "*\\programdata\\*" or process.command_line like~ "*users\\public*", true, false)

union

registry where event.type in ("creation", "change")
  and registry.path : (
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*",
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*",
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\*",
    "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*",
    "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
  )
  and not process.name : ("svchost.exe", "WmiPrvSE.exe", "TrustedInstaller.exe", "MicrosoftEdgeUpdate.exe", "chrome.exe", "msedge.exe", "firefox.exe")

high severity high confidence

Data Sources

Windows Endpoint (Elastic Agent / Winlogbeat + Sysmon) Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Enterprise software deployment tools (SCCM, Intune) legitimately install trusted CA certificates during software installation or OS configuration
Corporate PKI administrators running certutil to deploy internal CA certificates to domain-joined machines via GPO or scripts
Browser updates (Chrome, Edge, Firefox) occasionally write to certificate registry paths during trust store synchronization

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "ImageFileName" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(?:-|/)addstore\s+(?:root|trustedroot|authroot).*' THEN 'High'
    WHEN LOWER("CommandLine") MATCHES '.*(?:-|/)addstore\s+(?:trustedpublisher|trusted).*' THEN 'Medium'
    ELSE 'Low'
  END AS severity,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(\\temp\\|\\appdata\\|\\downloads\\|\\programdata\\|users\\public).*' THEN 1
    ELSE 0
  END AS suspicious_path_flag
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 376)
  AND (
    (
      ("ImageFileName" IMATCHES '%\\certutil.exe'
       OR "ImageFileName" IMATCHES '%\\certutil')
      AND ("CommandLine" IMATCHES '%-addstore%'
           OR "CommandLine" IMATCHES '%/addstore%')
    )
    OR
    (
      ("EventID" = 12 OR "EventID" = 13)
      AND (
        "TargetObject" IMATCHES '%\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\%'
        OR "TargetObject" IMATCHES '%\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\%'
        OR "TargetObject" IMATCHES '%\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\%'
        OR "TargetObject" IMATCHES '%\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\%'
      )
      AND "ImageFileName" NOT IMATCHES '%\\svchost.exe'
      AND "ImageFileName" NOT IMATCHES '%\\TrustedInstaller.exe'
      AND "ImageFileName" NOT IMATCHES '%\\MicrosoftEdgeUpdate.exe'
      AND "ImageFileName" NOT IMATCHES '%\\chrome.exe'
      AND "ImageFileName" NOT IMATCHES '%\\msedge.exe'
      AND "ImageFileName" NOT IMATCHES '%\\firefox.exe'
    )
  )
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon (Windows) Windows Security Event Log QRadar WinCollect agent

Required Tables

events

False Positives

Enterprise certificate management systems (SCCM, Active Directory Certificate Services) that push CA certs to managed endpoints during provisioning
Security software (antivirus, endpoint agents) that add their own signing certificates to TrustedPublisher to facilitate driver loading
System administrators running certutil manually during workstation setup or certificate renewal workflows

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<ParentCommandLine>*</ParentCommandLine>" as parent_command_line nodrop
| parse "<User>*</User>" as username nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
| parse "<TargetObject>*</TargetObject>" as registry_target nodrop
| where (
    (
      event_id = "1"
      and (process_image matches "*\\certutil.exe" or process_image matches "*\\certutil")
      and (command_line matches "*-addstore*" or command_line matches "*/addstore*")
    )
    or
    (
      (event_id = "12" or event_id = "13")
      and (
        registry_target matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
        or registry_target matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
        or registry_target matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\*"
        or registry_target matches "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
        or registry_target matches "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
      )
      and !process_image matches "*\\svchost.exe"
      and !process_image matches "*\\TrustedInstaller.exe"
      and !process_image matches "*\\MicrosoftEdgeUpdate.exe"
      and !process_image matches "*\\chrome.exe"
      and !process_image matches "*\\msedge.exe"
      and !process_image matches "*\\firefox.exe"
    )
  )
| eval detection_type = if(event_id = "1", "certutil_addstore", "registry_cert_store")
| eval is_root_store = if(
    command_line matches "*ROOT*" or command_line matches "*AuthRoot*" or command_line matches "*TrustedRoot*"
    or registry_target matches "*ROOT*" or registry_target matches "*AuthRoot*",
    1, 0)
| eval is_trusted_publisher = if(
    command_line matches "*TrustedPublisher*" or registry_target matches "*TrustedPublisher*",
    1, 0)
| eval suspicious_path = if(
    command_line matches "*\\Temp\\*" or command_line matches "*\\AppData\\*" or command_line matches "*\\Downloads\\*" or command_line matches "*\\ProgramData\\*" or command_line matches "*Users\\Public*",
    1, 0)
| eval suspicion_score = is_root_store + is_trusted_publisher + suspicious_path
| eval severity = if(is_root_store = 1 and suspicious_path = 1, "High",
    if(is_root_store = 1, "Medium",
    if(is_trusted_publisher = 1 and suspicious_path = 1, "High", "Low")))
| where suspicion_score > 0
| fields _time, hostname, username, process_image, command_line, parent_image, registry_target, detection_type, is_root_store, is_trusted_publisher, suspicious_path, suspicion_score, severity
| sort by _time desc

high severity high confidence

Data Sources

Sysmon via Sumo Logic Installed Collector (Windows) Windows Event Forwarding to Sumo Logic

Required Tables

_sourceCategory=windows/sysmon

False Positives

IT administrators deploying internal PKI root CA certificates to endpoints via scripts or SCCM task sequences
Software installers for enterprise products (VPNs, proxies, DLP agents) that install their own root certificates as part of setup
Mobile Device Management (MDM) or endpoint management agents writing certificate policies on enrolled devices

Google Chronicle / SecOps

yaral

rule t1553_004_install_root_certificate {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1553.004 Install Root Certificate via certutil -addstore and suspicious registry writes to Windows certificate trust stores"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553.004"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    (
      // Variant 1: certutil.exe -addstore to root/trusted stores
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`)
      and (
        re.regex($e.target.process.command_line, `(?i)(?:-|/)addstore`) and
        re.regex($e.target.process.command_line, `(?i)(ROOT|AuthRoot|TrustedRoot|TrustedPublisher)`)
      )
    )
    or
    (
      // Variant 2: Registry write to certificate trust store paths
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e.target.registry.registry_key,
        `(?i)\\SOFTWARE\\(Microsoft|Policies\\Microsoft)\\SystemCertificates\\(ROOT|AuthRoot|TrustedPublisher)\\Certificates`)
      and not re.regex($e.principal.process.file.full_path,
        `(?i)(svchost|WmiPrvSE|TrustedInstaller|MicrosoftEdgeUpdate|chrome|msedge|firefox)\.exe$`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $registry_key = $e.target.registry.registry_key
    $is_root_store = if(
      re.regex($e.target.process.command_line, `(?i)(ROOT|AuthRoot|TrustedRoot)`) or
      re.regex($e.target.registry.registry_key, `(?i)(ROOT|AuthRoot)`),
      "true", "false")
    $suspicious_path = if(
      re.regex($e.target.process.command_line,
        `(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\ProgramData\\|Users\\Public)`),
      "true", "false")
    $risk_score = if(
      $is_root_store = "true" and $suspicious_path = "true", 90,
      if($is_root_store = "true", 70,
      if($suspicious_path = "true", 60, 40)))

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Windows Endpoint via Forwarder) Google Chronicle SIEM with Windows telemetry ingestion

Required Tables

UDM events (PROCESS_LAUNCH, REGISTRY_MODIFICATION)

False Positives

Enterprise PKI deployments where administrators use certutil to distribute internal CA certificates to managed workstations
Third-party security tools (SSL inspection proxies, web filtering appliances) that install their root certificate to decrypt HTTPS traffic with corporate policy approval
Windows Update or system configuration processes that update the AuthRoot certificate store as part of CTL (Certificate Trust List) automatic updates

CrowdStrike LogScale (CQL)

cql

// T1553.004 - Install Root Certificate: CrowdStrike LogScale (Falcon) Detection
// Variant 1: certutil.exe -addstore to trusted certificate stores
#event_simpleName=ProcessRollup2
| FileName = /(?i)certutil\.exe$/
| CommandLine = /(?i)(?:-|\/)(addstore|AddStore)/
| regex(field=CommandLine, regex="(?i)(?:-|/)addstore\\s+(ROOT|AuthRoot|TrustedRoot|TrustedPublisher)", strict=false)
| eval IsRootStore = if(CommandLine = /(?i)(?:-|\/)addstore\s+(?:root|trustedroot|authroot)/, "true", "false")
| eval IsTrustedPublisher = if(CommandLine = /(?i)(?:-|\/)addstore\s+(?:trustedpublisher)/, "true", "false")
| eval SuspiciousPath = if(CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\programdata\\|users\\public)/, "true", "false")
| eval Severity = case(
    IsRootStore = "true" AND SuspiciousPath = "true", "High",
    IsRootStore = "true", "Medium",
    IsTrustedPublisher = "true" AND SuspiciousPath = "true", "High",
    true(), "Low")
| eval DetectionType = "certutil_addstore"
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsRootStore, IsTrustedPublisher, SuspiciousPath, Severity, DetectionType])

// Variant 2: Registry writes to Windows certificate trust store paths
// Run as separate search or use union
// #event_simpleName in (RegKeyCreate, RegValueUpdate)
// | TargetObject = /(?i)\\SOFTWARE\\(Microsoft|Policies\\Microsoft)\\SystemCertificates\\(ROOT|AuthRoot|TrustedPublisher)\\Certificates/
// | ContextProcessName != /(?i)(svchost|TrustedInstaller|MicrosoftEdgeUpdate|chrome|msedge|firefox)\.exe$/
// | eval IsRootStore = if(TargetObject = /(?i)(ROOT|AuthRoot)/, "true", "false")
// | eval IsTrustedPublisher = if(TargetObject = /(?i)TrustedPublisher/, "true", "false")
// | eval DetectionType = "registry_cert_store"
// | table([_time, ComputerName, UserName, ContextProcessName, TargetObject, IsRootStore, IsTrustedPublisher, DetectionType])
| groupBy([ComputerName, UserName, FileName, CommandLine, DetectionType, Severity], function=count(as=event_count))
| sort(Severity, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (Windows) Falcon Data Replicator or Humio/LogScale SIEM

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=RegKeyCreate #event_simpleName=RegValueUpdate

False Positives

Automated endpoint provisioning workflows that use certutil to install corporate PKI root certificates during machine imaging or onboarding
Legitimate enterprise proxy or SSL inspection solutions (Zscaler, Palo Alto Prisma) that require their CA certificate in the ROOT store for traffic inspection
Security operations teams running Atomic Red Team or other adversary simulation frameworks for purple team exercises against the ROOT store

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper Bypass T1553.002Code Signing T1553.003SIP and Trust Provider Hijacking T1553.005Mark-of-the-Web Bypass T1553.006Code Signing Policy Modification

Install Root Certificate

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections