Detect Install Root Certificate in Microsoft Sentinel
Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.004 Install Root Certificate
- Canonical reference
- https://attack.mitre.org/techniques/T1553/004/
KQL Detection Query
// T1553.004 — Install Root Certificate
// Detects certutil adding certificates to trust stores, suspicious registry writes to certificate stores,
// and process-based certificate installation on Windows endpoints.
let CertUtilAddStore = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "/addstore", "-AddStore", "/AddStore")
| extend TargetStore = extract(@"(?i)(?:-|/)addstore\s+(\S+)", 1, ProcessCommandLine)
| extend CertFile = extract(@"(?i)(?:-|/)addstore\s+\S+\s+(\S+\.(?:cer|crt|p7b|pfx|pem|der))", 1, ProcessCommandLine)
| extend IsRootStore = TargetStore has_any ("ROOT", "TrustedRoot", "AuthRoot")
| extend IsTrustedPublisher = TargetStore has_any ("TrustedPublisher", "Trusted")
| extend SuspiciousPath = CertFile has_any ("\\Temp\\", "\\AppData\\", "\\Downloads\\", "\\ProgramData\\", "\\Users\\Public\\", "C:\\Windows\\Temp")
| extend Severity = case(
IsRootStore and SuspiciousPath, "High",
IsRootStore, "Medium",
IsTrustedPublisher and SuspiciousPath, "High",
"Low")
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
TargetStore, CertFile, IsRootStore, IsTrustedPublisher, SuspiciousPath, Severity;
let RegistryCertStore = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyCreated", "RegistryValueSet")
| where RegistryKey has_any (
"\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates",
"\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates",
"\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates",
"\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates",
"\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates"
)
| where InitiatingProcessFileName !in~ ("svchost.exe", "WmiPrvSE.exe", "TrustedInstaller.exe", "MicrosoftEdgeUpdate.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
CertUtilAddStore
| union RegistryCertStoreDetects root certificate installation on Windows via two primary vectors: (1) certutil.exe invoked with -addstore targeting ROOT, AuthRoot, or TrustedPublisher certificate stores — with enrichment for suspicious source file paths (Temp, AppData, Downloads); (2) direct registry writes under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT and related policy-enforced store paths from unexpected initiating processes. Excludes common legitimate updaters (browser auto-update, TrustedInstaller). The combined union query surfaces both command-line and registry-based installation paths.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment (SCCM, Intune, Group Policy) pushing internal CA certificates to trusted stores — typically initiated by svchost.exe or a management agent with a known certificate path under Program Files
- Developers installing self-signed certificates for local HTTPS development environments (certutil -addstore ROOT localhost.cer from a known dev machine)
- SSL inspection proxies (Zscaler, Netskope, Blue Coat) requiring client-side root certificate installation as part of authorized security tooling rollout
- Software installers (antivirus, VPN clients, enterprise applications) that embed certificate installation steps during setup — initiating process will be a signed installer from a known vendor path
- Browser certificate management (Chrome, Edge, Firefox enterprise policies) making registry-level cert store changes as part of normal operation
Other platforms for T1553.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Malicious Root Certificate via certutil (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore -f ROOT' and the temp path '\Temp\df00tech-test-root.cer'. Sysmon Event ID 12/13: Registry key created under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint> with Blob value containing the DER-encoded certificate. Security Event ID 4688 (if command line auditing enabled) with same certutil invocation.
- Test 2Install Root Certificate to User Store (Low-Privilege Variant)
Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-user -addstore ROOT' and %APPDATA% path. Sysmon Event ID 13: Registry value set under HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint>. This variant writes to HKCU (user hive) rather than HKLM — ensure the registry detection covers both hive locations.
- Test 3Install Root Certificate on macOS via security Command
Expected signal: Endpoint Security Framework (ESF) / Unified Log: process execution of /usr/bin/security with arguments 'add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/df00tech-test-root.pem'. macOS Endpoint Detection (Jamf Protect, Crowdstrike Falcon for Mac): process create event with the security binary invocation. Keychain modification events in the Unified Log (log stream --predicate 'subsystem == "com.apple.securityd"').
- Test 4Install Root Certificate on Linux via update-ca-certificates
Expected signal: Auditd: syscall write/open to /usr/local/share/ca-certificates/ (rule: -w /usr/local/share/ca-certificates/ -p wa -k cert_store_modification). Syslog/auditd execve: update-ca-certificates process creation. File integrity monitoring (OSSEC, Wazuh, Falco): alert on new file creation in /usr/local/share/ca-certificates/ and modification of /etc/ssl/certs/ directory. Falco rule: spawning of update-ca-certificates by an unexpected parent process.
References (10)
- https://attack.mitre.org/techniques/T1553/004/
- https://en.wikipedia.org/wiki/Root_certificate
- https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/
- https://objective-see.com/blog/blog_0x26.html
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
- https://docs.microsoft.com/sysinternals/downloads/sigcheck
- https://support.apple.com/guide/keychain-access/add-certificates-to-a-keychain-kyca2540/mac
Unlock Pro Content
Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.