Skip to content

Hide Navigation Hide TOC

New Root Certificate Installed Via CertMgr.EXE (ff992eac-6449-4c60-8c1d-91c9722a1d48)

Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Cluster A Galaxy A Cluster B Galaxy B Level
New Root Certificate Installed Via CertMgr.EXE (ff992eac-6449-4c60-8c1d-91c9722a1d48) Sigma-Rules Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern 1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern 2