Sigma
Sigma rules for CVE-2026-24811
11 rules · scoped to cve · back to CVE-2026-24811
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
11 of 11
direct
high
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: Root Certificate Installed From Susp Locations
id: 5f6a601c-2ecb-498b-9c33-660362323afa
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-01-16
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Import-Certificate'
- ' -FilePath '
- 'Cert:\LocalMachine\Root'
CommandLine|contains:
- '\AppData\Local\Temp\'
- ':\Windows\TEMP\'
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- ':\Users\Public\'
condition: selection
falsepositives:
- Unlikely
level: high
direct
medium
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
view Sigma YAML
title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
- https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1078.001
- attack.t1078.003
- attack.initial-access
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dsenableroot'
filter_main_disable:
CommandLine|contains: ' -d '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
direct
medium
AWS Root Credentials
Detects AWS root account usage
view Sigma YAML
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: test
description: Detects AWS root account usage
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection_usertype:
userIdentity.type: Root
selection_eventtype:
eventType: AwsServiceEvent
condition: selection_usertype and not selection_eventtype
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium
direct
medium
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
view Sigma YAML
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName: 'Set Company Information'
TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
User Added To Root/Sudoers Group Using Usermod
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
view Sigma YAML
title: User Added To Root/Sudoers Group Using Usermod
id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
status: test
description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
references:
- https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
- https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
author: TuanLe (GTSC)
date: 2022-12-21
tags:
- attack.privilege-escalation
- attack.persistence
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/usermod'
CommandLine|contains:
- '-aG root'
- '-aG sudoers'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
direct
medium
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-10
modified: 2022-12-02
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains|all:
- 'Move-Item'
- 'Cert:\LocalMachine\Root'
selection2:
ScriptBlockText|contains|all:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
condition: 1 of selection*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
direct
medium
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
view Sigma YAML
title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: file_event
detection:
# Add more suspicious processes or paths or extensions as needed
selection_susp_img:
Image|endswith:
- '\dotnet.exe'
- '\w3wp.exe'
- '\java.exe'
selection_servers:
TargetFilename|contains:
- '\apache'
- '\tomcat'
selection_path:
TargetFilename|contains: '\webapps\ROOT\'
selection_susp_extensions:
TargetFilename|endswith: '.jsp'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
direct
medium
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: certutil -addstore -f -user ROOT CertificateFileName.der
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli_add:
CommandLine|contains|windash: '-addstore'
selection_cli_store:
CommandLine|contains: 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
direct
medium
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
- https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
selection_img:
- Image|endswith: '\CertMgr.exe'
- OriginalFileName: 'CERTMGT.EXE'
selection_cli:
CommandLine|contains|all:
- '/add'
- 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
direct
medium
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
view Sigma YAML
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
TargetObject|endswith: '\Blob'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: medium
direct
low
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
view Sigma YAML
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Showing 1-11 of 11