Install Root Certificate
Install Root Certificate [T1553.004]
Last updated
Install Root Certificate [T1553.004]
Last updated
Name: Install Root Certificate
ID: T1553.004
Tactics:
Technique:
Install Root Certificate (T1553.004) is a sub-technique of the MITRE ATT&CK framework categorized under the broader technique of Subvert Trust Controls (T1553). This sub-technique specifically involves adversaries installing unauthorized root certificates onto compromised systems to undermine the trust model used by operating systems and applications. Root certificates are critical components that establish trust in the Public Key Infrastructure (PKI), and installing malicious or unauthorized certificates allows attackers to intercept, monitor, and manipulate encrypted communications, bypass security controls, and perform man-in-the-middle (MITM) attacks.
The installation of unauthorized root certificates can be achieved through several execution methods and mechanisms, including:
Manual Installation:
Attackers with administrative privileges manually install certificates using built-in operating system tools such as Certificate Manager (certmgr.msc) on Windows, Keychain Access on macOS, or directly via command-line utilities.
Example Windows command-line utility:
Automated Installation via Malware or Scripts:
Malicious scripts (PowerShell, batch scripts, or shell scripts) or malware payloads automate the installation process.
Attackers embed malicious certificates in payloads or download them from remote locations during exploitation.
Group Policy or Configuration Management Abuse:
Attackers may abuse Windows Group Policy Objects (GPOs) or configuration management tools (e.g., SCCM, Puppet, Ansible) to distribute unauthorized root certificates across multiple endpoints simultaneously.
Installation via Browser or Application Exploits:
Exploiting vulnerabilities in browsers or applications to silently install certificates without user interaction or notification.
Technical mechanisms and real-world procedures include:
Manipulating trust stores (Windows Certificate Store, Linux CA bundles, macOS Keychain).
Modifying registry keys on Windows systems to add certificates silently:
Registry path example:
Leveraging legitimate administrative tools and utilities to avoid detection by endpoint protection software.
Attack scenarios and stages where unauthorized root certificate installation typically occurs include:
Initial Access and Persistence:
After gaining an initial foothold, adversaries install root certificates to maintain persistent interception of encrypted communications and stealthy data exfiltration.
Privilege Escalation and Credential Harvesting:
Attackers intercept encrypted traffic to capture credentials, authentication tokens, or sensitive data, enabling further privilege escalation and lateral movement.
Command and Control (C2) Communication:
Adversaries install root certificates to facilitate secure and covert communication channels with compromised systems, bypassing traditional network security defenses.
Data Exfiltration and Espionage Campaigns:
Nation-state actors and sophisticated threat groups frequently use root certificate installation to spy on encrypted network traffic, stealing intellectual property, classified information, or sensitive personal data.
Supply Chain Attacks:
Attackers compromise software distribution channels or vendor infrastructure to deliver malicious root certificates to numerous endpoints simultaneously.
Detection methods, tools, and specific indicators of compromise (IoCs) include:
Monitoring Certificate Stores:
Regularly auditing and monitoring system certificate stores for unauthorized or suspicious root certificates.
Tools such as Windows Event Logs, PowerShell scripts, or specialized security software can detect certificate store modifications.
Event Log Analysis:
Windows Security Event Logs (Event ID 3076 - Certificate Services) can indicate certificate store modifications.
Windows Sysmon (System Monitor) can detect registry changes associated with new certificate installations.
Endpoint Detection and Response (EDR) Solutions:
EDR tools monitor suspicious processes, registry changes, and command-line executions (e.g., certutil) associated with certificate installations.
Network Traffic Analysis:
Network monitoring tools and Intrusion Detection Systems (IDS) can detect unusual SSL/TLS sessions, certificate anomalies, or unexpected certificate authorities used in encrypted communication.
File Integrity Monitoring (FIM):
FIM solutions detect unauthorized changes to certificate store files or configuration files that define trusted certificates.
Indicators of compromise (IoCs) may include:
Unrecognized or suspicious root certificate fingerprints (hashes).
Certificates issued by unknown or unusual certificate authorities.
Suspicious registry modifications under certificate-related registry keys.
Unexpected use of certificate management utilities (certutil.exe, openssl, etc.).
Detecting unauthorized root certificate installations is crucial due to the severe potential impacts on systems, networks, and organizational security:
Compromise of Encrypted Communications:
Attackers intercept, decrypt, and manipulate SSL/TLS-encrypted communications, leading to data breaches and loss of confidentiality.
Credential Theft and Identity Impersonation:
Intercepted credentials enable attackers to escalate privileges, perform lateral movement, and gain persistent access.
Undermining Security Controls:
Malicious root certificates allow attackers to bypass endpoint security tools, detection mechanisms, and secure communication protocols.
Long-term Espionage and Surveillance:
Persistent monitoring of encrypted communications facilitates long-term espionage, intellectual property theft, and surveillance.
Reputational and Compliance Risks:
Failure to detect unauthorized certificates can lead to compliance violations, regulatory penalties, and reputational damage.
Early detection helps organizations rapidly respond, remediate, and minimize the potential damage, maintaining trust and security in digital communications.
Real-world examples demonstrating the use of unauthorized root certificate installation include:
Superfish Incident (Lenovo, 2015):
Lenovo pre-installed software called Superfish VisualDiscovery on laptops, which installed a self-signed root certificate, enabling interception and decryption of HTTPS traffic.
Impact: Users were exposed to MITM attacks, credential theft, and privacy violations.
Dell eDellRoot Certificate Incident (2015):
Dell shipped laptops with a pre-installed root certificate named "eDellRoot," allowing attackers to intercept HTTPS traffic.
Impact: Users vulnerable to MITM attacks, credential theft, and potential data compromise.
Kazakhstan Government MITM Attack (2019):
The government of Kazakhstan required citizens to install a root certificate issued by the state, enabling interception and monitoring of encrypted HTTPS traffic.
Impact: Surveillance, privacy violations, and potential data harvesting.
APT Threat Actors (State-sponsored espionage):
Advanced Persistent Threat (APT) groups frequently deploy unauthorized root certificates as part of espionage campaigns, enabling long-term interception of sensitive communications.
Impact: Intellectual property theft, espionage, and persistent compromise of targeted organizations.
Corporate Espionage and Insider Threats:
Malicious insiders or corporate espionage actors install unauthorized certificates to intercept sensitive internal communications and exfiltrate confidential data.
Impact: Loss of proprietary information, business disruption, and financial damages.
In each scenario, adversaries leveraged unauthorized root certificates to compromise encrypted communications, highlighting the importance of proactive detection, monitoring, and remediation strategies.