Detection of unauthorized modifications to Windows root certificate stores by monitoring registry keys, certificate installation processes, and creation of new certificate entries not in baseline trusted lists.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TrustedRootHashList | Baseline list of root certificate hashes; defenders can tune based on organizational certificate policies. |
| MonitoredProcesses | Processes associated with certificate management that should be flagged if executed by non-admin users or in unusual contexts. |
| TimeWindow | Correlation window for registry modifications, certificate installation, and process creation to strengthen detection. |
Detection of unexpected additions or modifications to system-wide certificate stores or execution of commands adding certificates to trusted stores.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors |
| Command Execution (DC0064) | auditd:EXECVE | execve: Execution of update-ca-certificates or trust anchor modification commands |
| Field | Description |
|---|---|
| CertificatePaths | Paths monitored for certificate modifications; can be tuned depending on Linux distribution. |
| AdminAccounts | Expected user accounts with privileges to install root certificates; anomalies outside this context are suspicious. |
Detection of malicious certificate installation via monitoring execution of the security add-trusted-cert command and modifications to system keychains.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain |
| File Modification (DC0061) | macos:osquery | query: Enumeration of root certificates showing unexpected additions |
| Field | Description |
|---|---|
| MonitoredCommands | Commands related to certificate management (e.g., security, profiles) that can be tuned per environment. |
| KeychainBaseline | Baseline of expected certificates in System.keychain to reduce false positives from legitimate enterprise certificates. |