forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_create_mod_root_certificate.toml
59 lines (51 loc) · 2.04 KB
/
defense_evasion_create_mod_root_certificate.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[metadata]
creation_date = "2021/02/01"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root
certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity
(e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.
"""
false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Creation or Modification of Root Certificate"
references = [
"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate",
]
risk_score = 21
rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where event.type in ("creation", "change") and
registry.path :
(
"HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
"HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1553"
name = "Subvert Trust Controls"
reference = "https://attack.mitre.org/techniques/T1553/"
[[rule.threat.technique.subtechnique]]
id = "T1553.004"
name = "Install Root Certificate"
reference = "https://attack.mitre.org/techniques/T1553/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"