attack.defense_evasion DEMO attack.t1553.004
oscd.community, @redcanary, Zach Stanford @svch0st
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Link to Public Repo
feat: more updates