Detect Digital Certificates in IBM QRadar
Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic or enabling Adversary-in-the-Middle attacks if the certificate is trusted or added to the root of trust. Free certificate authorities (e.g., Let's Encrypt) enable adversaries to acquire certificates at no cost. Compromised certificate authority infrastructure (e.g., DigiNotar) allows issuance of fraudulent certificates for any domain. After obtaining a digital certificate, an adversary may install it on infrastructure under their control to legitimize malicious communications.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.004 Digital Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1588/004/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
"HostName" AS host,
"UserName" AS username,
"EventID" AS event_id,
CASE
WHEN "TargetObject" ILIKE '%Root\\Certificates%' THEN 'Trusted Root CA'
WHEN "TargetObject" ILIKE '%CA\\Certificates%' THEN 'Intermediate CA'
ELSE 'Other'
END AS store_type,
"TargetObject" AS registry_path,
"Image" AS process_image,
"CommandLine" AS command_line,
"ParentImage" AS parent_image
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
AND "EventID" IN ('12', '13')
AND (
"TargetObject" ILIKE '%\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates%'
OR "TargetObject" ILIKE '%\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates%'
OR "TargetObject" ILIKE '%\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root%'
OR "TargetObject" ILIKE '%\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA%'
)
AND "Image" NOT ILIKE '%\\svchost.exe'
AND "Image" NOT ILIKE '%\\lsass.exe'
AND "Image" NOT ILIKE '%\\wuauclt.exe'
AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
AND "Image" NOT ILIKE '%\\MicrosoftEdgeUpdate.exe'
AND "Image" NOT ILIKE '%\\MsMpEng.exe'
AND "Image" NOT ILIKE '%\\SgrmBroker.exe'
LAST 24 HOURSDetects unauthorized certificate installation into Windows Trusted Root CA and Intermediate CA certificate stores using Sysmon registry modification events (EventID 12 — RegistryKeyCreate, EventID 13 — RegistryValueSet). Targets the four primary certificate store registry paths and excludes known-legitimate system processes. Classifies the affected store type for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Automated certificate lifecycle management executed by Group Policy (GPO) or enterprise MDM platforms deploying internal root CA certificates to managed workstations and servers
- Security tooling such as DLP agents, next-generation firewalls with SSL inspection, or PAM solutions installing interception certificates during agent enrollment
- Software distribution platforms (e.g., PDQ Deploy, Chocolatey, Ansible) executing legitimate certificate deployment scripts as part of standard software packaging workflows
Other platforms for T1588.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Self-Signed Root Certificate via certutil
Expected signal: Sysmon Event ID 13 (RegistryValueSet) with TargetObject = HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Sysmon Event ID 1 for certutil.exe with CommandLine containing '-addstore Root'. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'Export-Certificate'. DeviceRegistryEvents (MDE) showing ActionType=RegistryValueSet on the Root certificate store path with InitiatingProcessFileName=certutil.exe.
- Test 2Install Certificate via PowerShell Import-Certificate
Expected signal: Sysmon Event ID 13 (RegistryValueSet) with TargetObject containing Root\Certificates\<thumbprint> and initiating process powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the full script including 'Import-Certificate' targeting 'Cert:\LocalMachine\Root'. Sysmon Event ID 11 (FileCreate) for the temporary .cer file in %TEMP%.
- Test 3Enumerate Certificate Stores for Pre-Attack Reconnaissance
Expected signal: Sysmon Event ID 1 for certutil.exe with CommandLine containing '-store Root' and '-store CA'. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-ChildItem Cert:' and 'HasPrivateKey'. PowerShell ScriptBlock Log Event ID 4104 capturing full certificate enumeration script.
- Test 4Download and Install Certificate from Remote URL via certutil URLCache
Expected signal: Sysmon Event ID 1 for certutil.exe with CommandLine containing '-urlcache -split -f http://'. Sysmon Event ID 3 (NetworkConnection) for certutil.exe connecting to 127.0.0.1:8080 (or external IP in real attacks). DeviceProcessEvents CommandLine field captures the URL attempted. Download attempt generates telemetry regardless of server availability.
References (9)
- https://attack.mitre.org/techniques/T1588/004/
- https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
- https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
- https://letsencrypt.org/docs/faq/
- https://crt.sh
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate
- https://www.recordedfuture.com/research/cobalt-strike-servers
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4104
Unlock Pro Content
Get the full detection package for T1588.004 including response playbook, investigation guide, and atomic red team tests.