Skip to content

Latest commit

 

History

History
20 lines (15 loc) · 2.23 KB

T1553.004_Install_Root_Certificate.md

File metadata and controls

20 lines (15 loc) · 2.23 KB

Subvert Trust Controls: Install Root Certificate [T1553.004]

Public certificates are used to establish secure TLS/SSL communications. Root certificates are used to identify the root certificate authority (CA). Root certificates are self-signed and form an anchor of trust for public key cryptography. For example, when a root certificate is installed, the system or application will trust certificates in the root's chain of trust. While no network-level device (for example routers and switches) can show the certificate chain installed on a client system, the point of installing a malicious root certificate is to bypass trust validation.

Using Corelight data, you can observe all aspects of the TLS/SSL session using the ssl and x509 logs. These two logs allow analysts to identify certificates that seem suspicious by:

  • Search the ssl log for any entries where the validation_status field doesn’t have a value of ok.
  • Review records where the validation_status field either has a self-signed certificate or contains a self-signed certificate in the certificate chain.
  • Review the subject and server_name fields to determine the likely organization or website that controls the server.
  • Filter results where there are legitimate self-signed certificates in use, such as in communications between IOT devices and the supporting cloud infrastructure.
  • Investigate the id.resp_h IP address to see what Autonomous System the session belongs to and whether it’s a reasonable AS organization (such as the organization that matches the information on the server, or a commonly-used cloud hosting provider).
  • For remaining connections, use the values in the cert_chain_fuids to pivot to the certificates in the x509 log and review the certificate details.
  • Focus investigations by inspecting the local root certificate authority on the endpoint.

Sigma Queries for Hunting

Name URL
Self Signed TLS SSL Certificate (Overview Query) https://tdm.socprime.com/tdm/info/SnV87SprIafq
SSL Connections With Non-OK Certificate Validity (Overview Query) ./T1553.004-ssl-connections-with-non-ok-certificate-validity.yml