valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_root_certificate_installed.yml

Browse Source
This commit is contained in:
svch0stz 2020-10-12 08:30:28 +11:00 committed by GitHub
parent 5d475ce16d
commit 2edd79a37f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
rules/windows/builtin/win_root_certificate_installed.yml
View File

@ -20,11 +20,16 @@ logsource:
product: windows
service: powershell
detection:
selection:
selection1:
EventID: 4104
ScriptBlockText|contains:
- 'Import-Certificate * Cert:\LocalMachine\Root'
- 'Move-Item * Cert:\LocalMachine\Root'
ScriptBlockText|contains|all:
- 'Move-Item'
- 'Cert:\LocalMachine\Root'
selection2:
EventID: 4104
ScriptBlockText|contains|all:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
---
logsource:
category: process_creation
@ -32,7 +37,11 @@ logsource:
detection:
selection1:
Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der
CommandLine|contains: '-addstore * root'
CommandLine|contains|all:
- '-addstore'
- 'root'
selection2:
Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
CommandLine|contains: '/add * root'
CommandLine|contains|all:
- '/add'
- 'root'