heroui logo

Attempt To Add Certificate To Untrusted Store

Splunk Security Content

View Source
Summary
This detection rule identifies attempts to add a certificate to an untrusted certificate store using the command 'certutil -addstore'. By analyzing process activity and command-line arguments sourced from Endpoint Detection and Response (EDR) logs and mapped to the Splunk `Processes` data model, this rule highlights potentially malicious actions. The activity is significant as it often indicates attempts by attackers to disable security measures, providing unauthorized access. If malicious intent is confirmed, it could result in compromised system security and may allow attackers to bypass existing defenses, escalate privileges, or persist within the environment.
Categories
  • Endpoint
  • Windows
  • Cloud
Data Sources
  • Windows Registry
  • Process
  • Logon Session
ATT&CK Techniques
  • T1553.004
  • T1553
Created: 2024-11-13