Skip to content

Hide Navigation Hide TOC

New Root Certificate Installed Via Certutil.EXE (d2125259-ddea-4c1c-9c22-977eb5b29cf0)

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Cluster A Galaxy A Cluster B Galaxy B Level
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern New Root Certificate Installed Via Certutil.EXE (d2125259-ddea-4c1c-9c22-977eb5b29cf0) Sigma-Rules 1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern 2