1. Home
  2. Techniques
  3. Enterprise
  4. Subvert Trust Controls
  5. Install Root Certificate

Subvert Trust Controls: Install Root Certificate

ID Name
T1553.001 Gatekeeper Bypass
T1553.002 Code Signing
T1553.003 SIP and Trust Provider Hijacking
T1553.004 Install Root Certificate
T1553.005 Mark-of-the-Web Bypass
T1553.006 Code Signing Policy Modification

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.[1] Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.[2]

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.[3]

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.[4]

In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.[5]

ID: T1553.004
Sub-technique of:  T1553
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Itzik Kotler, SafeBreach; Matt Graeber, @mattifestation, SpecterOps; Red Canary; Travis Smith, Tripwire
Version: 1.3
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0160 certutil

certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.[6]
S0281 Dok

Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename.[7][8]
S0009 Hikit

Hikit installs a self-generated certificate to the local trust store as a root CA and Trusted Publisher.[9]
S0148 RTM

RTM can add a certificate to the Windows store.[10][11]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. [4]
M1054 Software Configuration

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. [12]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0056 Detection Strategy for Subvert Trust Controls via Install Root Certificate. AN0153

Detection of unauthorized modifications to Windows root certificate stores by monitoring registry keys, certificate installation processes, and creation of new certificate entries not in baseline trusted lists.
AN0154

Detection of unexpected additions or modifications to system-wide certificate stores or execution of commands adding certificates to trusted stores.
AN0155

Detection of malicious certificate installation via monitoring execution of the security add-trusted-cert command and modifications to system keychains.

References

  1. Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.
  2. botconf eu. (2014, December 31). David Sancho - Finding Holes in Banking 2FA: Operation Emmental. Retrieved January 4, 2024.
  3. Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.
  4. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
  5. Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.
  6. Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.
  1. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  2. fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024.
  3. Aditya Sood and Richard Enbody. (2014, December 16). Targeted Cyber Attacks. Retrieved January 4, 2024.
  4. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  5. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  6. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.