|
| 1 | +name: Windows Certutil Root Certificate Addition |
| 2 | +id: e9926391-ec0c-4bad-8a95-e450dbf6aae4 |
| 3 | +version: 1 |
| 4 | +date: '2025-08-06' |
| 5 | +author: Teoderick Contreras, Splunk |
| 6 | +status: production |
| 7 | +type: Anomaly |
| 8 | +description: The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the -addstore root command. In this case, the certificate is loaded from a temporary file path (e.g., %TEMP%), which is highly suspicious and uncommon in legitimate administrative activity. This behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls. The use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks. This should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications.You should monitor when new certificates are added to the root store because this store is what your system uses to decide which websites, apps, and software can be trusted. If an attacker manages to add their own certificate there, they can silently intercept encrypted traffic, impersonate trusted websites, or make malicious programs look safe. This means they could steal sensitive data, bypass security tools, and keep access to your system even after other malware is removed. In simple terms, adding a rogue root certificate gives attackers a master key to your trust system — and if it goes unnoticed, the impact could be a complete compromise of your security. |
| 9 | +data_source: |
| 10 | +- Sysmon EventID 1 |
| 11 | +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) |
| 12 | + as process max(_time) as lastTime from datamodel=Endpoint.Processes |
| 13 | + where `process_certutil` Processes.process=*-addstore* Processes.process=*root* |
| 14 | + by Processes.action Processes.dest Processes.original_file_name |
| 15 | + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid |
| 16 | + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path |
| 17 | + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash |
| 18 | + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path |
| 19 | + Processes.user Processes.user_id Processes.vendor_product |
| 20 | + | `drop_dm_object_name("Processes")` |
| 21 | + | `security_content_ctime(firstTime)` |
| 22 | + |`security_content_ctime(lastTime)` |
| 23 | + | `windows_certutil_root_certificate_addition_filter`' |
| 24 | +how_to_implement: The detection is based on data that originates from Endpoint Detection |
| 25 | + and Response (EDR) agents. These agents are designed to provide security-related |
| 26 | + telemetry from the endpoints where the agent is installed. To implement this search, |
| 27 | + you must ingest logs that contain the process GUID, process name, and parent process. |
| 28 | + Additionally, you must ingest complete command-line executions. These logs must |
| 29 | + be processed using the appropriate Splunk Technology Add-ons that are specific to |
| 30 | + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` |
| 31 | + data model. Use the Splunk Common Information Model (CIM) to normalize the field |
| 32 | + names and speed up the data modeling process. |
| 33 | +known_false_positives: administrator may use certutil to add a root certificate to the store. |
| 34 | + Filter as needed or restrict to critical assets on the perimeter. |
| 35 | +references: |
| 36 | +- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ |
| 37 | +drilldown_searches: |
| 38 | +- name: View the detection results for - "$dest$" |
| 39 | + search: '%original_detection_search% | search dest = "$dest$"' |
| 40 | + earliest_offset: $info_min_time$ |
| 41 | + latest_offset: $info_max_time$ |
| 42 | +- name: View risk events for the last 7 days for - "$dest$" |
| 43 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") |
| 44 | + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime |
| 45 | + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) |
| 46 | + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) |
| 47 | + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` |
| 48 | + | `security_content_ctime(lastTime)`' |
| 49 | + earliest_offset: $info_min_time$ |
| 50 | + latest_offset: $info_max_time$ |
| 51 | +rba: |
| 52 | + message: A certificate was added to the Root certificate store by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$. |
| 53 | + risk_objects: |
| 54 | + - field: dest |
| 55 | + type: system |
| 56 | + score: 40 |
| 57 | + threat_objects: |
| 58 | + - field: parent_process_name |
| 59 | + type: parent_process_name |
| 60 | +tags: |
| 61 | + analytic_story: |
| 62 | + - Secret Blizzard |
| 63 | + asset_type: Endpoint |
| 64 | + mitre_attack_id: |
| 65 | + - T1587.003 |
| 66 | + product: |
| 67 | + - Splunk Enterprise |
| 68 | + - Splunk Enterprise Security |
| 69 | + - Splunk Cloud |
| 70 | + security_domain: endpoint |
| 71 | +tests: |
| 72 | +- name: True Positive Test |
| 73 | + attack_data: |
| 74 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log |
| 75 | + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| 76 | + sourcetype: XmlWinEventLog |
0 commit comments