Install Root Certificate
|Install Root Certificate|
|Data Sources||SSL/TLS inspection, Digital Certificate Logs|
|Defense Bypassed||Digital Certificate Validation|
|Contributors||Itzik Kotler, SafeBreach, Travis Smith, Tripwire|
Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.1 Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.2
Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications.3
- RTM can add a certificate to the Windows store.4
- certutil can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command:
certutil -addstore -f -user ROOT ProgramData\cert512121.der.5
HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.6
A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present.
Installed root certificates are located in the Registry:
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates. There is a subset of root certificates that are consistent across Windows systems and can be used for comparison:7
- Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.
- Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.
- Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.
- Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
- Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.