Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Show when private keys are being exported from the device, or when new certificates are installed
status testauthor Austin Clarkid 1f978c6a-4415-47fb-aca5-736a44d7ca3d
view Sigma YAML
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
references:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1553.004
- attack.t1552.004
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates
level: high
high
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 5f6a601c-2ecb-498b-9c33-660362323afa
view Sigma YAML
title: Root Certificate Installed From Susp Locations
id: 5f6a601c-2ecb-498b-9c33-660362323afa
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-01-16
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Import-Certificate'
- ' -FilePath '
- 'Cert:\LocalMachine\Root'
CommandLine|contains:
- '\AppData\Local\Temp\'
- ':\Windows\TEMP\'
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- ':\Users\Public\'
condition: selection
falsepositives:
- Unlikely
level: high
medium
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status testauthor oscd.community, @redcanary, Zach Stanford @svch0stid ff992eac-6449-4c60-8c1d-91c9722a1d48
view Sigma YAML
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
- https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
selection_img:
- Image|endswith: '\CertMgr.exe'
- OriginalFileName: 'CERTMGT.EXE'
selection_cli:
CommandLine|contains|all:
- '/add'
- 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
medium
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status testauthor oscd.community, @redcanary, Zach Stanford @svch0stid d2125259-ddea-4c1c-9c22-977eb5b29cf0
view Sigma YAML
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: certutil -addstore -f -user ROOT CertificateFileName.der
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli_add:
CommandLine|contains|windash: '-addstore'
selection_cli_store:
CommandLine|contains: 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
medium
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status testauthor oscd.community, @redcanary, Zach Stanford @svch0stid 42821614-9264-4761-acfc-5772c3286f76
view Sigma YAML
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-10
modified: 2022-12-02
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains|all:
- 'Move-Item'
- 'Cert:\LocalMachine\Root'
selection2:
ScriptBlockText|contains|all:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
condition: 1 of selection*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
medium
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
status testauthor Nasreddine Bencherchali (Nextron Systems)id 700fb7e8-2981-401c-8430-be58e189e741
status testauthor frack113id 114de787-4eb2-48cc-abdb-c0b449f93ea4
view Sigma YAML
title: Suspicious X509Enrollment - Process Creation
id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
related:
- id: 504d63cb-0dba-4d02-8531-e72981aace2c
type: similar
status: test
description: Detect use of X509Enrollment
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'X509Enrollment.CBinaryConverter'
- '884e2002-217d-11da-b2a4-000e7bbb2b09'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
medium
Suspicious X509Enrollment - Ps Script
Detect use of X509Enrollment
status testauthor frack113id 504d63cb-0dba-4d02-8531-e72981aace2c
view Sigma YAML
title: Suspicious X509Enrollment - Ps Script
id: 504d63cb-0dba-4d02-8531-e72981aace2c
related:
- id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
type: similar
status: test
description: Detect use of X509Enrollment
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'X509Enrollment.CBinaryConverter'
- '884e2002-217d-11da-b2a4-000e7bbb2b09'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
low
Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services.
Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
status testauthor @SerkinValeryid 994bfd6d-0a2e-481e-a861-934069fcf5f5
view Sigma YAML
title: Active Directory Certificate Services Denied Certificate Enrollment Request
id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
status: test
description: |
Detects denied requests by Active Directory Certificate Services.
Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
author: '@SerkinValery'
date: 2024-03-07
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-CertificationAuthority'
EventID: 53
condition: selection
falsepositives:
- Unknown
level: low
low
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
status testauthor Ömer Günal, oscd.communityid 78a80655-a51e-4669-bc6b-e9d206a462ee
view Sigma YAML
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
falsepositives:
- Legitimate administration activities
level: low