T1553.004 Elastic Security · Elastic

Detect Install Root Certificate in Elastic Security

Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.004 Install Root Certificate
Canonical reference
https://attack.mitre.org/techniques/T1553/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start"
   and process.name : "certutil.exe"
   and process.args : ("-addstore", "/addstore", "-AddStore", "/AddStore")
  ] by process.pid
| [any where true] by process.pid

union

process where event.type == "start"
  and process.name : "certutil.exe"
  and process.command_line : ("*-addstore*", "*/addstore*")
  and (
    process.command_line : ("*ROOT*", "*AuthRoot*", "*TrustedRoot*", "*TrustedPublisher*")
  )
  | eval is_root_store = if(process.command_line like~ "*root*" or process.command_line like~ "*authroot*", true, false)
  | eval suspicious_path = if(process.command_line like~ "*\\temp\\*" or process.command_line like~ "*\\appdata\\*" or process.command_line like~ "*\\downloads\\*" or process.command_line like~ "*\\programdata\\*" or process.command_line like~ "*users\\public*", true, false)

union

registry where event.type in ("creation", "change")
  and registry.path : (
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*",
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*",
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\*",
    "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*",
    "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
  )
  and not process.name : ("svchost.exe", "WmiPrvSE.exe", "TrustedInstaller.exe", "MicrosoftEdgeUpdate.exe", "chrome.exe", "msedge.exe", "firefox.exe")
high severity high confidence

Detects T1553.004 Install Root Certificate via certutil.exe -addstore to ROOT/AuthRoot/TrustedPublisher stores and suspicious registry writes to Windows certificate trust store paths. Covers both process execution and registry modification vectors.

Data Sources

Windows Endpoint (Elastic Agent / Winlogbeat + Sysmon)Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*winlogbeat-*

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune) legitimately install trusted CA certificates during software installation or OS configuration
  • Corporate PKI administrators running certutil to deploy internal CA certificates to domain-joined machines via GPO or scripts
  • Browser updates (Chrome, Edge, Firefox) occasionally write to certificate registry paths during trust store synchronization
Download portable Sigma rule (.yml)

Other platforms for T1553.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install Malicious Root Certificate via certutil (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore -f ROOT' and the temp path '\Temp\df00tech-test-root.cer'. Sysmon Event ID 12/13: Registry key created under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint> with Blob value containing the DER-encoded certificate. Security Event ID 4688 (if command line auditing enabled) with same certutil invocation.

  2. Test 2Install Root Certificate to User Store (Low-Privilege Variant)

    Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-user -addstore ROOT' and %APPDATA% path. Sysmon Event ID 13: Registry value set under HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint>. This variant writes to HKCU (user hive) rather than HKLM — ensure the registry detection covers both hive locations.

  3. Test 3Install Root Certificate on macOS via security Command

    Expected signal: Endpoint Security Framework (ESF) / Unified Log: process execution of /usr/bin/security with arguments 'add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/df00tech-test-root.pem'. macOS Endpoint Detection (Jamf Protect, Crowdstrike Falcon for Mac): process create event with the security binary invocation. Keychain modification events in the Unified Log (log stream --predicate 'subsystem == "com.apple.securityd"').

  4. Test 4Install Root Certificate on Linux via update-ca-certificates

    Expected signal: Auditd: syscall write/open to /usr/local/share/ca-certificates/ (rule: -w /usr/local/share/ca-certificates/ -p wa -k cert_store_modification). Syslog/auditd execve: update-ca-certificates process creation. File integrity monitoring (OSSEC, Wazuh, Falco): alert on new file creation in /usr/local/share/ca-certificates/ and modification of /etc/ssl/certs/ directory. Falco rule: spawning of update-ca-certificates by an unexpected parent process.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1539Steal Web Session CookieT1185Browser Session HijackingT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1140Deobfuscate/Decode Files or InformationT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections