mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
28 lines
725 B
YAML
28 lines
725 B
YAML
title: Install Root Certificate
|
|
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
|
|
description: Detects installed new certificate
|
|
author: Ömer Günal, oscd.community
|
|
date: 2020/10/05
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1553.004
|
|
level: low
|
|
logsource:
|
|
product: linux
|
|
detection:
|
|
selection:
|
|
- CommandLine|contains|all:
|
|
- 'mv '
|
|
- '/usr/local/share/ca-certificates'
|
|
selection2:
|
|
- ProcessName|contains:
|
|
- 'update-ca-certificates'
|
|
selection3:
|
|
- CommandLine|contains|all:
|
|
- 'cp '
|
|
- 'rootCA.crt'
|
|
- 'update-ca-trust'
|
|
condition: (selection and selection2) or selection3
|
|
falsepositives:
|
|
- Legitimate administration activities
|