T1588.004 Digital Certificates Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detection: Unauthorized certificate installation in Windows certificate trust stores
// Monitors registry paths for additions to Trusted Root CA and Intermediate CA stores
// by unexpected processes outside of known software deployment tooling
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates",
    "SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates",
    "SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates",
    "SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA"
)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "lsass.exe", "wuauclt.exe", "TrustedInstaller.exe",
    "MicrosoftEdgeUpdate.exe", "MsMpEng.exe", "SgrmBroker.exe"
)
| extend CertStoreType = case(
    RegistryKey has "Root\\", "Trusted Root CA",
    RegistryKey has "CA\\", "Intermediate CA",
    "Other"
)
| extend CertThumbprint = tostring(split(RegistryKey, "\\")[-1])
| project
    Timestamp,
    DeviceName,
    AccountName,
    ActionType,
    CertStoreType,
    CertThumbprint,
    RegistryKey,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName
| sort by Timestamp desc

high severity medium confidence

Data Sources

Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Enterprise software deployments pushing corporate root CA certificates via SCCM, Intune, or GPO — msiexec.exe or specific application installers will modify certificate stores during installation
Browser auto-updates (Chrome, Edge, Firefox) that maintain bundled root certificate programs and refresh them via their update processes
VPN client software and SSL inspection proxy agents (Zscaler, Netskope, Blue Coat) installing their TLS inspection root certificates during agent deployment
Security products (EDR agents, DLP tools) that install their own root CAs for local HTTPS inspection during initial endpoint enrollment

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
  (
    TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates*"
    OR TargetObject="*\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates*"
    OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root*"
    OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA*"
  )
| where NOT (
    match(Image, "(?i)(svchost\.exe|lsass\.exe|wuauclt\.exe|TrustedInstaller\.exe|MicrosoftEdgeUpdate\.exe|MsMpEng\.exe|SgrmBroker\.exe)$")
  )
| eval StoreType=case(
    match(TargetObject, "Root\\Certificates"), "Trusted Root CA",
    match(TargetObject, "CA\\Certificates"), "Intermediate CA",
    true(), "Other"
  )
| rex field=TargetObject "Certificates\\(?<cert_thumbprint>[A-F0-9]{40})" max_match=1
| eval EventType=case(EventCode="12", "RegistryKeyCreate", EventCode="13", "RegistryValueSet", true(), "Unknown")
| table _time, host, User, EventType, StoreType, cert_thumbprint, TargetObject, Image, CommandLine, ParentImage
| sort - _time

high severity medium confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 12 (Registry Key Create) Sysmon Event ID 13 (Registry Value Set)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise software deployments pushing corporate root CA certificates via SCCM, Intune, or GPO
Browser auto-updates refreshing bundled root certificate stores via their own update binaries
VPN or SSL inspection proxy agents installing TLS inspection root certificates during endpoint enrollment
Security tool deployments (EDR, DLP) that add their own CA certificates for local inspection

Elastic Security (EQL)

eql

registry where event.type in ("creation", "change") and
  registry.path : (
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates*",
    "*\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates*",
    "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates*",
    "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA*"
  ) and
  not process.name : (
    "svchost.exe",
    "lsass.exe",
    "wuauclt.exe",
    "TrustedInstaller.exe",
    "MicrosoftEdgeUpdate.exe",
    "MsMpEng.exe",
    "SgrmBroker.exe"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.registry-*) Winlogbeat with Sysmon module (winlogbeat-* — Sysmon EventID 12/13)

Required Tables

logs-endpoint.events.registry-* winlogbeat-*

False Positives

Enterprise endpoint management solutions (Microsoft Intune, SCCM/ConfigMgr) deploying internal PKI root or intermediate CA certificates as part of baseline device configuration or SSL inspection policy rollout
Corporate network security appliances (Zscaler, Palo Alto GlobalProtect, Netskope) installing their TLS interception certificate onto managed endpoints via a deployed agent or GPO-linked script
Legitimate third-party software installers (VPN clients, monitoring agents, collaboration tools) that bundle and install intermediate CA certificates required for their product's secure update or licensing infrastructure

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "HostName" AS host,
  "UserName" AS username,
  "EventID" AS event_id,
  CASE
    WHEN "TargetObject" ILIKE '%Root\\Certificates%' THEN 'Trusted Root CA'
    WHEN "TargetObject" ILIKE '%CA\\Certificates%' THEN 'Intermediate CA'
    ELSE 'Other'
  END AS store_type,
  "TargetObject" AS registry_path,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND "EventID" IN ('12', '13')
  AND (
    "TargetObject" ILIKE '%\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates%'
    OR "TargetObject" ILIKE '%\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates%'
    OR "TargetObject" ILIKE '%\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root%'
    OR "TargetObject" ILIKE '%\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA%'
  )
  AND "Image" NOT ILIKE '%\\svchost.exe'
  AND "Image" NOT ILIKE '%\\lsass.exe'
  AND "Image" NOT ILIKE '%\\wuauclt.exe'
  AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
  AND "Image" NOT ILIKE '%\\MicrosoftEdgeUpdate.exe'
  AND "Image" NOT ILIKE '%\\MsMpEng.exe'
  AND "Image" NOT ILIKE '%\\SgrmBroker.exe'
LAST 24 HOURS

high severity high confidence

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational) forwarded to QRadar via WinCollect or Syslog Windows Security Event Log forwarded to QRadar

Required Tables

events

False Positives

Automated certificate lifecycle management executed by Group Policy (GPO) or enterprise MDM platforms deploying internal root CA certificates to managed workstations and servers
Security tooling such as DLP agents, next-generation firewalls with SSL inspection, or PAM solutions installing interception certificates during agent enrollment
Software distribution platforms (e.g., PDQ Deploy, Chocolatey, Ansible) executing legitimate certificate deployment scripts as part of standard software packaging workflows

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* (EventCode=12 OR EventCode=13)
| parse regex "TargetObject: (?<target_object>[^\r\n]+)"
| parse regex "Image: (?<process_image>[^\r\n]+)"
| parse regex "CommandLine: (?<command_line>[^\r\n]+)" nodrop
| parse regex "User: (?<user>[^\r\n]+)" nodrop
| parse regex "ParentImage: (?<parent_image>[^\r\n]+)" nodrop
| where target_object matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates*"
  OR target_object matches "*\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates*"
  OR target_object matches "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root*"
  OR target_object matches "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA*"
| where !(process_image matches "(?i).*\\(svchost|lsass|wuauclt|TrustedInstaller|MicrosoftEdgeUpdate|MsMpEng|SgrmBroker)\.exe$")
| if(target_object matches "*Root\\Certificates*", "Trusted Root CA", if(target_object matches "*CA\\Certificates*", "Intermediate CA", "Other")) as store_type
| parse regex field=target_object "Certificates\\\\(?<cert_thumbprint>[A-F0-9]{40})" nodrop
| if(EventCode="12", "RegistryKeyCreate", "RegistryValueSet") as event_type
| fields _messageTime, _sourceHost, user, event_type, store_type, cert_thumbprint, target_object, process_image, command_line, parent_image
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational) via Sumo Logic Installed Collector with Windows Event Log source Sumo Logic Cloud Syslog source receiving Sysmon-forwarded events

Required Tables

_sourceCategory matching *windows*sysmon*

False Positives

Corporate PKI onboarding workflows where endpoints receive internal root and intermediate CA certificates through automated provisioning scripts run during device imaging or enrollment
SSL/TLS inspection proxy agents (Zscaler Client Connector, Netskope client, Symantec WSS) installed by IT that write their interception certificate to the machine Trusted Root store on first run
Application bundled certificate installations where legitimate vendor software (e.g., monitoring platforms, build toolchains) deploys a required intermediate CA certificate as part of their silent installer

Google Chronicle / SecOps

yaral

rule t1588_004_unauthorized_certificate_store_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects unauthorized installation of certificates into Windows Trusted Root CA or Intermediate CA certificate stores via registry modification by non-system processes. Adversaries may install rogue certificates to enable MitM attacks or legitimize C2 TLS traffic."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.004"
    reference = "https://attack.mitre.org/techniques/T1588/004/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates.*`) or
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates.*`) or
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root.*`) or
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA.*`)
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i).*(svchost\.exe|lsass\.exe|wuauclt\.exe|TrustedInstaller\.exe|MicrosoftEdgeUpdate\.exe|MsMpEng\.exe|SgrmBroker\.exe)$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Windows endpoint telemetry normalized to UDM via Chronicle Forwarder with Sysmon parser Microsoft Defender for Endpoint events forwarded to Chronicle via data connector

Required Tables

UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives

Internal enterprise PKI deployment via domain Group Policy Objects (GPOs) where the enforcing process is a domain join or policy application process not included in the current allowlist
Security product initial installation events where EDR, DLP, or proxy agents write their inspection certificate to the machine root store using a vendor-specific setup binary
DevOps tooling or CI/CD agents (e.g., Jenkins agent, Ansible runner) executing certificate deployment playbooks as part of automated server provisioning pipelines

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(AsepValueUpdate|RegGenericValueUpdate)$/
| RegObjectName = /(?i)SOFTWARE\\(Microsoft\\SystemCertificates\\(Root|CA)\\Certificates|Policies\\Microsoft\\SystemCertificates\\(Root|CA))/
| not FileName = /(?i)^(svchost\.exe|lsass\.exe|wuauclt\.exe|TrustedInstaller\.exe|MicrosoftEdgeUpdate\.exe|MsMpEng\.exe|SgrmBroker\.exe)$/
| case {
    RegObjectName = /(?i)Root\\Certificates/ | StoreType := "Trusted Root CA";
    RegObjectName = /(?i)CA\\Certificates/   | StoreType := "Intermediate CA";
    *                                         | StoreType := "Other"
  }
| select([_time, ComputerName, UserName, #event_simpleName, StoreType, RegObjectName, FileName, CommandLine, ParentProcessName])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon endpoint sensor registry telemetry (AsepValueUpdate, RegGenericValueUpdate events) ingested into LogScale / Next-Gen SIEM

Required Tables

Falcon registry events: AsepValueUpdate, RegGenericValueUpdate

False Positives

Endpoint management platforms (Tanium, Ivanti, BigFix) performing scheduled certificate lifecycle management as part of corporate PKI operations or compliance certificate rotation
CrowdStrike Falcon sensor itself or co-installed security agents writing certificates to the trust store during product installation, update, or re-enrollment events
Enterprise software deployment pipelines executing certutil.exe or PowerShell Import-Certificate cmdlets under a service account as part of a controlled application rollout

Digital Certificates

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections