T1588.004 Google Chronicle · YARA-L

Detect Digital Certificates in Google Chronicle

Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic or enabling Adversary-in-the-Middle attacks if the certificate is trusted or added to the root of trust. Free certificate authorities (e.g., Let's Encrypt) enable adversaries to acquire certificates at no cost. Compromised certificate authority infrastructure (e.g., DigiNotar) allows issuance of fraudulent certificates for any domain. After obtaining a digital certificate, an adversary may install it on infrastructure under their control to legitimize malicious communications.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.004 Digital Certificates
Canonical reference
https://attack.mitre.org/techniques/T1588/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1588_004_unauthorized_certificate_store_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects unauthorized installation of certificates into Windows Trusted Root CA or Intermediate CA certificate stores via registry modification by non-system processes. Adversaries may install rogue certificates to enable MitM attacks or legitimize C2 TLS traffic."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.004"
    reference = "https://attack.mitre.org/techniques/T1588/004/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates.*`) or
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates.*`) or
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root.*`) or
      re.regex($e.target.registry.registry_key,
        `(?i).*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA.*`)
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i).*(svchost\.exe|lsass\.exe|wuauclt\.exe|TrustedInstaller\.exe|MicrosoftEdgeUpdate\.exe|MsMpEng\.exe|SgrmBroker\.exe)$`)

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting unauthorized modifications to Windows Trusted Root CA and Intermediate CA certificate store registry paths. Matches REGISTRY_MODIFICATION UDM events against all four certificate store key paths and excludes known-legitimate Windows system binaries. Surfaces attacker-controlled processes installing rogue certificates to enable adversary-in-the-middle attacks or trusted C2 communications.

Data Sources

Windows endpoint telemetry normalized to UDM via Chronicle Forwarder with Sysmon parserMicrosoft Defender for Endpoint events forwarded to Chronicle via data connector

Required Tables

UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives & Tuning

  • Internal enterprise PKI deployment via domain Group Policy Objects (GPOs) where the enforcing process is a domain join or policy application process not included in the current allowlist
  • Security product initial installation events where EDR, DLP, or proxy agents write their inspection certificate to the machine root store using a vendor-specific setup binary
  • DevOps tooling or CI/CD agents (e.g., Jenkins agent, Ansible runner) executing certificate deployment playbooks as part of automated server provisioning pipelines
Download portable Sigma rule (.yml)

Other platforms for T1588.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install Self-Signed Root Certificate via certutil

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) with TargetObject = HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Sysmon Event ID 1 for certutil.exe with CommandLine containing '-addstore Root'. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'Export-Certificate'. DeviceRegistryEvents (MDE) showing ActionType=RegistryValueSet on the Root certificate store path with InitiatingProcessFileName=certutil.exe.

  2. Test 2Install Certificate via PowerShell Import-Certificate

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) with TargetObject containing Root\Certificates\<thumbprint> and initiating process powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the full script including 'Import-Certificate' targeting 'Cert:\LocalMachine\Root'. Sysmon Event ID 11 (FileCreate) for the temporary .cer file in %TEMP%.

  3. Test 3Enumerate Certificate Stores for Pre-Attack Reconnaissance

    Expected signal: Sysmon Event ID 1 for certutil.exe with CommandLine containing '-store Root' and '-store CA'. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-ChildItem Cert:' and 'HasPrivateKey'. PowerShell ScriptBlock Log Event ID 4104 capturing full certificate enumeration script.

  4. Test 4Download and Install Certificate from Remote URL via certutil URLCache

    Expected signal: Sysmon Event ID 1 for certutil.exe with CommandLine containing '-urlcache -split -f http://'. Sysmon Event ID 3 (NetworkConnection) for certutil.exe connecting to 127.0.0.1:8080 (or external IP in real attacks). DeviceProcessEvents CommandLine field captures the URL attempted. Download attempt generates telemetry regardless of server availability.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1588.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.003Digital CertificatesT1608.003Install Digital CertificateT1553.004Install Root CertificateT1557Adversary-in-the-MiddleT1071.001Web ProtocolsT1573.002Asymmetric CryptographyT1583.001DomainsT1590.005IP Addresses

Same Tactic: Resource Development

Popular Detections