Detect Install Root Certificate in Sumo Logic CSE
Adversaries may install a root certificate on a compromised system to undermine TLS/SSL trust validation, enabling Adversary-in-the-Middle (AiTM) attacks against encrypted communications. By adding a malicious CA certificate to the system or user trust store, the adversary can intercept HTTPS traffic, sign malicious executables to bypass code signing checks, or spoof legitimate websites to harvest credentials without triggering browser security warnings. This technique has been observed in banking trojans (RTM, Hikit), macOS malware (Dok, Ay MaMi), and supply chain attacks (Superfish). On Windows, certutil.exe is the primary living-off-the-land tool for adding certificates to named stores (ROOT, CA, TrustedPublisher). On macOS, the security binary can add trusted root certificates to the System or login keychain. On Linux, certificates can be dropped into /usr/local/share/ca-certificates/ followed by update-ca-certificates.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.004 Install Root Certificate
- Canonical reference
- https://attack.mitre.org/techniques/T1553/004/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<ParentCommandLine>*</ParentCommandLine>" as parent_command_line nodrop
| parse "<User>*</User>" as username nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
| parse "<TargetObject>*</TargetObject>" as registry_target nodrop
| where (
(
event_id = "1"
and (process_image matches "*\\certutil.exe" or process_image matches "*\\certutil")
and (command_line matches "*-addstore*" or command_line matches "*/addstore*")
)
or
(
(event_id = "12" or event_id = "13")
and (
registry_target matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
or registry_target matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
or registry_target matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates\\*"
or registry_target matches "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\*"
or registry_target matches "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*"
)
and !process_image matches "*\\svchost.exe"
and !process_image matches "*\\TrustedInstaller.exe"
and !process_image matches "*\\MicrosoftEdgeUpdate.exe"
and !process_image matches "*\\chrome.exe"
and !process_image matches "*\\msedge.exe"
and !process_image matches "*\\firefox.exe"
)
)
| eval detection_type = if(event_id = "1", "certutil_addstore", "registry_cert_store")
| eval is_root_store = if(
command_line matches "*ROOT*" or command_line matches "*AuthRoot*" or command_line matches "*TrustedRoot*"
or registry_target matches "*ROOT*" or registry_target matches "*AuthRoot*",
1, 0)
| eval is_trusted_publisher = if(
command_line matches "*TrustedPublisher*" or registry_target matches "*TrustedPublisher*",
1, 0)
| eval suspicious_path = if(
command_line matches "*\\Temp\\*" or command_line matches "*\\AppData\\*" or command_line matches "*\\Downloads\\*" or command_line matches "*\\ProgramData\\*" or command_line matches "*Users\\Public*",
1, 0)
| eval suspicion_score = is_root_store + is_trusted_publisher + suspicious_path
| eval severity = if(is_root_store = 1 and suspicious_path = 1, "High",
if(is_root_store = 1, "Medium",
if(is_trusted_publisher = 1 and suspicious_path = 1, "High", "Low")))
| where suspicion_score > 0
| fields _time, hostname, username, process_image, command_line, parent_image, registry_target, detection_type, is_root_store, is_trusted_publisher, suspicious_path, suspicion_score, severity
| sort by _time descDetects T1553.004 Install Root Certificate using Sumo Logic CSE by correlating Sysmon process creation events for certutil -addstore invocations and Sysmon registry events targeting Windows certificate trust store paths. Scores each event by store type and file path suspicion.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators deploying internal PKI root CA certificates to endpoints via scripts or SCCM task sequences
- Software installers for enterprise products (VPNs, proxies, DLP agents) that install their own root certificates as part of setup
- Mobile Device Management (MDM) or endpoint management agents writing certificate policies on enrolled devices
Other platforms for T1553.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Malicious Root Certificate via certutil (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore -f ROOT' and the temp path '\Temp\df00tech-test-root.cer'. Sysmon Event ID 12/13: Registry key created under HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint> with Blob value containing the DER-encoded certificate. Security Event ID 4688 (if command line auditing enabled) with same certutil invocation.
- Test 2Install Root Certificate to User Store (Low-Privilege Variant)
Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-user -addstore ROOT' and %APPDATA% path. Sysmon Event ID 13: Registry value set under HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\<thumbprint>. This variant writes to HKCU (user hive) rather than HKLM — ensure the registry detection covers both hive locations.
- Test 3Install Root Certificate on macOS via security Command
Expected signal: Endpoint Security Framework (ESF) / Unified Log: process execution of /usr/bin/security with arguments 'add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/df00tech-test-root.pem'. macOS Endpoint Detection (Jamf Protect, Crowdstrike Falcon for Mac): process create event with the security binary invocation. Keychain modification events in the Unified Log (log stream --predicate 'subsystem == "com.apple.securityd"').
- Test 4Install Root Certificate on Linux via update-ca-certificates
Expected signal: Auditd: syscall write/open to /usr/local/share/ca-certificates/ (rule: -w /usr/local/share/ca-certificates/ -p wa -k cert_store_modification). Syslog/auditd execve: update-ca-certificates process creation. File integrity monitoring (OSSEC, Wazuh, Falco): alert on new file creation in /usr/local/share/ca-certificates/ and modification of /etc/ssl/certs/ directory. Falco rule: spawning of update-ca-certificates by an unexpected parent process.
References (10)
- https://attack.mitre.org/techniques/T1553/004/
- https://en.wikipedia.org/wiki/Root_certificate
- https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/
- https://objective-see.com/blog/blog_0x26.html
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
- https://docs.microsoft.com/sysinternals/downloads/sigcheck
- https://support.apple.com/guide/keychain-access/add-certificates-to-a-keychain-kyca2540/mac
Unlock Pro Content
Get the full detection package for T1553.004 including response playbook, investigation guide, and atomic red team tests.