Update win_root_certificate_installed.yml

2024-11-07 09:48:58 +00:00 · 2020-10-09 13:00:17 +11:00 · 2020-10-09 13:00:17 +11:00 · 5d475ce16d
commit 5d475ce16d
parent 8d7152d489
1 changed files with 1 additions and 17 deletions
--- a/rules/windows/builtin/win_root_certificate_installed.yml
+++ b/rules/windows/builtin/win_root_certificate_installed.yml
@ -24,31 +24,15 @@ detection:
        EventID: 4104
        ScriptBlockText|contains:
          - 'Import-Certificate * Cert:\LocalMachine\Root'
-          - 'Move-Item * Cert:\LocalMachine\Root'    
+          - 'Move-Item * Cert:\LocalMachine\Root'
 ---
 logsource:
    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection1:
-        EventID: 1
        Image|endswith: '\certutil.exe'     # Example: certutil -addstore -f -user ROOT CertificateFileName.der
        CommandLine|contains: '-addstore * root'
    selection2:
-        EventID: 1
        Image|endswith: '\CertMgr.exe'      # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
        CommandLine|contains: '/add * root'
---
-action: repeat
-logsource:
-    category: process_creation
-    product: windows
-    service: security
-detection:
-    selection1:
-        EventID: 4688
-    selection2:
-        EventID: 4688
---
-action: reset