Detect Install Root Certificate in Splunk
Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.004 Install Root Certificate
- Canonical reference
- https://attack.mitre.org/techniques/T1553/004/
SPL Detection Query
| union
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\certutil.exe" OR Image="*\\certutil")
(CommandLine="*-addstore*" OR CommandLine="*/addstore*")
| eval TargetStore=replace(lower(CommandLine), ".*(?:-|/)addstore\s+(\S+).*", "\1")
| eval IsRootStore=if(match(lower(CommandLine), "(?:-|/)addstore\s+(?:root|trustedroot|authroot)"), 1, 0)
| eval IsTrustedPublisher=if(match(lower(CommandLine), "(?:-|/)addstore\s+(?:trustedpublisher|trusted)"), 1, 0)
| eval SuspiciousPath=if(match(lower(CommandLine), "(?:\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)"), 1, 0)
| eval DetectionSource="certutil_process"
| eval SuspicionScore=IsRootStore + IsTrustedPublisher + SuspiciousPath
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRootStore, IsTrustedPublisher, SuspiciousPath, SuspicionScore, DetectionSource ]
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12 OR EventCode=13
(TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
OR TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
OR TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\*"
OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*")
NOT (Image="*\\svchost.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\MicrosoftEdgeUpdate.exe" OR Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe")
| eval IsRootStore=if(match(TargetObject, "(?i)(ROOT|AuthRoot)"), 1, 0)
| eval IsTrustedPublisher=if(match(TargetObject, "(?i)TrustedPublisher"), 1, 0)
| eval SuspiciousPath=0
| eval DetectionSource="registry_cert_store"
| eval SuspicionScore=IsRootStore + IsTrustedPublisher
| rename TargetObject as CommandLine
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRootStore, IsTrustedPublisher, SuspiciousPath, SuspicionScore, DetectionSource ]
| where SuspicionScore > 0
| sort - _timeDetects root certificate installation on Windows via two event sources unioned together: (1) Sysmon EventCode=1 (Process Create) for certutil.exe invocations containing -addstore or /addstore flags, with scoring for root store targeting and suspicious source paths; (2) Sysmon EventCode=12/13 (Registry Key Create/Set) for direct modifications to the ROOT, AuthRoot, TrustedPublisher, and Policies certificate store registry paths, excluding known-legitimate processes. A SuspicionScore of 1+ triggers an alert, with higher scores (2+) indicating stronger confidence.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Enterprise software deployment (SCCM, Intune, Group Policy) pushing internal CA certificates to trusted stores — typically initiated by svchost.exe or a management agent with a known certificate path under Program Files
- Developers installing self-signed certificates for local HTTPS development environments (certutil -addstore ROOT localhost.cer from a known dev machine)
- SSL inspection proxies (Zscaler, Netskope, Blue Coat) requiring client-side root certificate installation as part of authorized security tooling rollout
- Software installers (antivirus, VPN clients, enterprise applications) that embed certificate installation steps during setup — initiating process will be a signed installer from a known vendor path
- Browser certificate management (Chrome, Edge, Firefox enterprise policies) making registry-level cert store changes as part of normal operation
Other platforms for T1553.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Malicious Root Certificate via certutil (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore -f ROOT' and the temp path '\Temp\df00tech-test-root.cer'. Sysmon Event ID 12/13: Registry key created under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint> with Blob value containing the DER-encoded certificate. Security Event ID 4688 (if command line auditing enabled) with same certutil invocation.
- Test 2Install Root Certificate to User Store (Low-Privilege Variant)
Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-user -addstore ROOT' and %APPDATA% path. Sysmon Event ID 13: Registry value set under HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint>. This variant writes to HKCU (user hive) rather than HKLM — ensure the registry detection covers both hive locations.
- Test 3Install Root Certificate on macOS via security Command
Expected signal: Endpoint Security Framework (ESF) / Unified Log: process execution of /usr/bin/security with arguments 'add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/df00tech-test-root.pem'. macOS Endpoint Detection (Jamf Protect, Crowdstrike Falcon for Mac): process create event with the security binary invocation. Keychain modification events in the Unified Log (log stream --predicate 'subsystem == "com.apple.securityd"').
- Test 4Install Root Certificate on Linux via update-ca-certificates
Expected signal: Auditd: syscall write/open to /usr/local/share/ca-certificates/ (rule: -w /usr/local/share/ca-certificates/ -p wa -k cert_store_modification). Syslog/auditd execve: update-ca-certificates process creation. File integrity monitoring (OSSEC, Wazuh, Falco): alert on new file creation in /usr/local/share/ca-certificates/ and modification of /etc/ssl/certs/ directory. Falco rule: spawning of update-ca-certificates by an unexpected parent process.
References (10)
- https://attack.mitre.org/techniques/T1553/004/
- https://en.wikipedia.org/wiki/Root_certificate
- https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/
- https://objective-see.com/blog/blog_0x26.html
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
- https://docs.microsoft.com/sysinternals/downloads/sigcheck
- https://support.apple.com/guide/keychain-access/add-certificates-to-a-keychain-kyca2540/mac
Unlock Pro Content
Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.