Description
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)
Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)
Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)
In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)
Platforms
Mitigations (2)
Software ConfigurationM1054
HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)
Operating System ConfigurationM1028
Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0160 | certutil | Tool | [certutil](https://attack.mitre.org/software/S0160) can be used to install browser root certificates as a precursor to performing [Adversary-in-the-Mi... |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) installs a root certificate to aid in [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T15... |
| S0009 | Hikit | Malware | [Hikit](https://attack.mitre.org/software/S0009) installs a self-generated certificate to the local trust store as a root CA and Trusted Publisher.(Ci... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) has obtained a valid SSL/TLS certificate from LetsEncrypt to provide responses to Automatic Certi... |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) can add a certificate to the Windows store.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman Janua... |
References
- botconf eu. (2014, December 31). David Sancho - Finding Holes in Banking 2FA: Operation Emmental. Retrieved January 4, 2024.
- Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
- Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.
- Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.
- Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.
Frequently Asked Questions
What is T1553.004 (Install Root Certificate)?
T1553.004 is a MITRE ATT&CK technique named 'Install Root Certificate'. It belongs to the Defense Impairment tactic(s). Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to ident...
How can T1553.004 be detected?
Detection of T1553.004 (Install Root Certificate) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1553.004?
There are 2 documented mitigations for T1553.004. Key mitigations include: Software Configuration, Operating System Configuration.
Which threat groups use T1553.004?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.