Skip to content

DET0056 Detection Strategy for Subvert Trust Controls via Install Root Certificate.

Item Value
ID DET0056
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1553.004 (Install Root Certificate)

Analytics

Windows

AN0153

Detection of unauthorized modifications to Windows root certificate stores by monitoring registry keys, certificate installation processes, and creation of new certificate entries not in baseline trusted lists.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Windows Registry Key Creation (DC0056) WinEventLog:Sysmon EventCode=12
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TrustedRootHashList Baseline list of root certificate hashes; defenders can tune based on organizational certificate policies.
MonitoredProcesses Processes associated with certificate management that should be flagged if executed by non-admin users or in unusual contexts.
TimeWindow Correlation window for registry modifications, certificate installation, and process creation to strengthen detection.

Linux

AN0154

Detection of unexpected additions or modifications to system-wide certificate stores or execution of commands adding certificates to trusted stores.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors
Command Execution (DC0064) auditd:EXECVE execve: Execution of update-ca-certificates or trust anchor modification commands
Mutable Elements
Field Description
CertificatePaths Paths monitored for certificate modifications; can be tuned depending on Linux distribution.
AdminAccounts Expected user accounts with privileges to install root certificates; anomalies outside this context are suspicious.

macOS

AN0155

Detection of malicious certificate installation via monitoring execution of the security add-trusted-cert command and modifications to system keychains.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain
File Modification (DC0061) macos:osquery query: Enumeration of root certificates showing unexpected additions
Mutable Elements
Field Description
MonitoredCommands Commands related to certificate management (e.g., security, profiles) that can be tuned per environment.
KeychainBaseline Baseline of expected certificates in System.keychain to reduce false positives from legitimate enterprise certificates.