← Library
sigmaDRL-1.1from SigmaHQ/sigma

Install Root Certificate

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1553.004
Rule sourcerules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
    - attack.defense-evasion
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/update-ca-certificates'
            - '/update-ca-trust'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low