T1553.004 CrowdStrike LogScale · LogScale

Detect Install Root Certificate in CrowdStrike LogScale

Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.004 Install Root Certificate
Canonical reference
https://attack.mitre.org/techniques/T1553/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1553.004 - Install Root Certificate: CrowdStrike LogScale (Falcon) Detection
// Variant 1: certutil.exe -addstore to trusted certificate stores
#event_simpleName=ProcessRollup2
| FileName = /(?i)certutil\.exe$/
| CommandLine = /(?i)(?:-|\/)(addstore|AddStore)/
| regex(field=CommandLine, regex="(?i)(?:-|/)addstore\\s+(ROOT|AuthRoot|TrustedRoot|TrustedPublisher)", strict=false)
| eval IsRootStore = if(CommandLine = /(?i)(?:-|\/)addstore\s+(?:root|trustedroot|authroot)/, "true", "false")
| eval IsTrustedPublisher = if(CommandLine = /(?i)(?:-|\/)addstore\s+(?:trustedpublisher)/, "true", "false")
| eval SuspiciousPath = if(CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\programdata\\|users\\public)/, "true", "false")
| eval Severity = case(
    IsRootStore = "true" AND SuspiciousPath = "true", "High",
    IsRootStore = "true", "Medium",
    IsTrustedPublisher = "true" AND SuspiciousPath = "true", "High",
    true(), "Low")
| eval DetectionType = "certutil_addstore"
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsRootStore, IsTrustedPublisher, SuspiciousPath, Severity, DetectionType])

// Variant 2: Registry writes to Windows certificate trust store paths
// Run as separate search or use union
// #event_simpleName in (RegKeyCreate, RegValueUpdate)
// | TargetObject = /(?i)\\SOFTWARE\\(Microsoft|Policies\\Microsoft)\\SystemCertificates\\(ROOT|AuthRoot|TrustedPublisher)\\Certificates/
// | ContextProcessName != /(?i)(svchost|TrustedInstaller|MicrosoftEdgeUpdate|chrome|msedge|firefox)\.exe$/
// | eval IsRootStore = if(TargetObject = /(?i)(ROOT|AuthRoot)/, "true", "false")
// | eval IsTrustedPublisher = if(TargetObject = /(?i)TrustedPublisher/, "true", "false")
// | eval DetectionType = "registry_cert_store"
// | table([_time, ComputerName, UserName, ContextProcessName, TargetObject, IsRootStore, IsTrustedPublisher, DetectionType])
| groupBy([ComputerName, UserName, FileName, CommandLine, DetectionType, Severity], function=count(as=event_count))
| sort(Severity, order=desc)
high severity high confidence

Detects T1553.004 Install Root Certificate in CrowdStrike Falcon via LogScale CQL. Primary variant monitors ProcessRollup2 events for certutil.exe -addstore commands targeting root/trusted certificate stores. Secondary variant (commented) monitors registry modification events targeting Windows SystemCertificates paths. Enriches events with store type, path suspicion scoring, and severity.

Data Sources

CrowdStrike Falcon Sensor (Windows)Falcon Data Replicator or Humio/LogScale SIEM

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=RegKeyCreate#event_simpleName=RegValueUpdate

False Positives & Tuning

  • Automated endpoint provisioning workflows that use certutil to install corporate PKI root certificates during machine imaging or onboarding
  • Legitimate enterprise proxy or SSL inspection solutions (Zscaler, Palo Alto Prisma) that require their CA certificate in the ROOT store for traffic inspection
  • Security operations teams running Atomic Red Team or other adversary simulation frameworks for purple team exercises against the ROOT store
Download portable Sigma rule (.yml)

Other platforms for T1553.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install Malicious Root Certificate via certutil (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore -f ROOT' and the temp path '\Temp\df00tech-test-root.cer'. Sysmon Event ID 12/13: Registry key created under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint> with Blob value containing the DER-encoded certificate. Security Event ID 4688 (if command line auditing enabled) with same certutil invocation.

  2. Test 2Install Root Certificate to User Store (Low-Privilege Variant)

    Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-user -addstore ROOT' and %APPDATA% path. Sysmon Event ID 13: Registry value set under HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint>. This variant writes to HKCU (user hive) rather than HKLM — ensure the registry detection covers both hive locations.

  3. Test 3Install Root Certificate on macOS via security Command

    Expected signal: Endpoint Security Framework (ESF) / Unified Log: process execution of /usr/bin/security with arguments 'add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/df00tech-test-root.pem'. macOS Endpoint Detection (Jamf Protect, Crowdstrike Falcon for Mac): process create event with the security binary invocation. Keychain modification events in the Unified Log (log stream --predicate 'subsystem == "com.apple.securityd"').

  4. Test 4Install Root Certificate on Linux via update-ca-certificates

    Expected signal: Auditd: syscall write/open to /usr/local/share/ca-certificates/ (rule: -w /usr/local/share/ca-certificates/ -p wa -k cert_store_modification). Syslog/auditd execve: update-ca-certificates process creation. File integrity monitoring (OSSEC, Wazuh, Falco): alert on new file creation in /usr/local/share/ca-certificates/ and modification of /etc/ssl/certs/ directory. Falco rule: spawning of update-ca-certificates by an unexpected parent process.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1539Steal Web Session CookieT1185Browser Session HijackingT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1140Deobfuscate/Decode Files or InformationT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections