T1553.004 IBM QRadar · QRadar

Detect Install Root Certificate in IBM QRadar

Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.004 Install Root Certificate
Canonical reference
https://attack.mitre.org/techniques/T1553/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "ImageFileName" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(?:-|/)addstore\s+(?:root|trustedroot|authroot).*' THEN 'High'
    WHEN LOWER("CommandLine") MATCHES '.*(?:-|/)addstore\s+(?:trustedpublisher|trusted).*' THEN 'Medium'
    ELSE 'Low'
  END AS severity,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*(\\temp\\|\\appdata\\|\\downloads\\|\\programdata\\|users\\public).*' THEN 1
    ELSE 0
  END AS suspicious_path_flag
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 376)
  AND (
    (
      ("ImageFileName" IMATCHES '%\\certutil.exe'
       OR "ImageFileName" IMATCHES '%\\certutil')
      AND ("CommandLine" IMATCHES '%-addstore%'
           OR "CommandLine" IMATCHES '%/addstore%')
    )
    OR
    (
      ("EventID" = 12 OR "EventID" = 13)
      AND (
        "TargetObject" IMATCHES '%\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\%'
        OR "TargetObject" IMATCHES '%\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\%'
        OR "TargetObject" IMATCHES '%\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\%'
        OR "TargetObject" IMATCHES '%\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\%'
      )
      AND "ImageFileName" NOT IMATCHES '%\\svchost.exe'
      AND "ImageFileName" NOT IMATCHES '%\\TrustedInstaller.exe'
      AND "ImageFileName" NOT IMATCHES '%\\MicrosoftEdgeUpdate.exe'
      AND "ImageFileName" NOT IMATCHES '%\\chrome.exe'
      AND "ImageFileName" NOT IMATCHES '%\\msedge.exe'
      AND "ImageFileName" NOT IMATCHES '%\\firefox.exe'
    )
  )
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY devicetime DESC
LAST 24 HOURS
high severity medium confidence

Detects T1553.004 Install Root Certificate in QRadar using Sysmon process creation (EventID 1) for certutil -addstore and Sysmon registry events (EventID 12/13) for writes to Windows certificate trust store paths. Assigns severity based on target store type and file path.

Data Sources

Sysmon (Windows)Windows Security Event LogQRadar WinCollect agent

Required Tables

events

False Positives & Tuning

  • Enterprise certificate management systems (SCCM, Active Directory Certificate Services) that push CA certs to managed endpoints during provisioning
  • Security software (antivirus, endpoint agents) that add their own signing certificates to TrustedPublisher to facilitate driver loading
  • System administrators running certutil manually during workstation setup or certificate renewal workflows
Download portable Sigma rule (.yml)

Other platforms for T1553.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install Malicious Root Certificate via certutil (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore -f ROOT' and the temp path '\Temp\df00tech-test-root.cer'. Sysmon Event ID 12/13: Registry key created under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint> with Blob value containing the DER-encoded certificate. Security Event ID 4688 (if command line auditing enabled) with same certutil invocation.

  2. Test 2Install Root Certificate to User Store (Low-Privilege Variant)

    Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-user -addstore ROOT' and %APPDATA% path. Sysmon Event ID 13: Registry value set under HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint>. This variant writes to HKCU (user hive) rather than HKLM — ensure the registry detection covers both hive locations.

  3. Test 3Install Root Certificate on macOS via security Command

    Expected signal: Endpoint Security Framework (ESF) / Unified Log: process execution of /usr/bin/security with arguments 'add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/df00tech-test-root.pem'. macOS Endpoint Detection (Jamf Protect, Crowdstrike Falcon for Mac): process create event with the security binary invocation. Keychain modification events in the Unified Log (log stream --predicate 'subsystem == "com.apple.securityd"').

  4. Test 4Install Root Certificate on Linux via update-ca-certificates

    Expected signal: Auditd: syscall write/open to /usr/local/share/ca-certificates/ (rule: -w /usr/local/share/ca-certificates/ -p wa -k cert_store_modification). Syslog/auditd execve: update-ca-certificates process creation. File integrity monitoring (OSSEC, Wazuh, Falco): alert on new file creation in /usr/local/share/ca-certificates/ and modification of /etc/ssl/certs/ directory. Falco rule: spawning of update-ca-certificates by an unexpected parent process.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1539Steal Web Session CookieT1185Browser Session HijackingT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1140Deobfuscate/Decode Files or InformationT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections