search

Installing Root Certificate

Defense Evasion

hashtag
Execution

Adding a certificate with a native windows binary:

attacker@victim
certutil.exe -addstore -f -user Root C:\Users\spot\Downloads\certnew.cer

Checking to see the certificate got installed:

Adding the certificate with powershell:

hashtag
Observations

Advanced poweshell logging to the rescue:

Commandline logging:

The CAs get installed to:

..so it is worth monitoring registry changes there:

hashtag
References

LogoSubvert Trust Controls: Install Root Certificate, Sub-technique T1553.004 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right
PreviousHijacking Time ProvidersNextPowershell Profile Persistence

Last updated