![Back to home Valhalla Logo](/static/valhalla-logo.png)
Rule Info
Name
New Root Certificate Installed Via Certutil.EXE
Author
oscd.community, @redcanary, Zach Stanford @svch0st
Description
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Date
2023-03-05 00:00:00
Modified
2024-03-05 00:00:00
Id
d2125259-ddea-4c1c-9c22-977eb5b29cf0
Tags
attack.defense_evasion attack.t1553.004 DEMO
Type
Community Rule
Link to Public Repo