Windows Certutil Root Certificate Addition

name: Windows Certutil Root Certificate Addition
id: e9926391-ec0c-4bad-8a95-e450dbf6aae4
version: 4
date: '2026-03-10'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: TTP
description: |
    The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the "-addstore" flag.
    In this case, the certificate is loaded from a temporary file path (e.g., %TEMP%) or other uncommon locations (e.g. C:\\Users\\Public\\), which is highly suspicious and uncommon in legitimate administrative activity.
    This behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls.
    The use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks.
    This should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications.
    You should monitor when new certificates are added to the root store because this store is what your system uses to decide which websites, apps, and software can be trusted.
    If an attacker manages to add their own certificate there, they can silently intercept encrypted traffic, impersonate trusted websites, or make malicious programs look safe.
    This means they could steal sensitive data, bypass security tools, and keep access to your system even after other malware is removed.
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
      max(_time) as lastTime
      values(Processes.process) as process
    from datamodel=Endpoint.Processes where
    `process_certutil`
    Processes.process=*-addstore*
    Processes.process=*root*
    Processes.process IN (
          "*:\\PerfLogs\\*",
          "*:\\Windows\\Temp\\*",
          "*\\AppData\\Local\\Temp\\*",
          "*\\ProgramData\\*",
          "*\\Users\\Public\\*",
          "*%AppData%*",
          "*%Public%*",
          "*%Temp%*",
          "*%tmp%*"
          )
    by Processes.action Processes.dest Processes.original_file_name
       Processes.parent_process Processes.parent_process_exec
       Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path
       Processes.process Processes.process_exec Processes.process_guid
       Processes.process_hash Processes.process_id Processes.process_integrity_level
       Processes.process_name Processes.process_path Processes.user
       Processes.user_id Processes.vendor_product
    | `drop_dm_object_name("Processes")`
    | `security_content_ctime(firstTime)`
    |`security_content_ctime(lastTime)`
    | `windows_certutil_root_certificate_addition_filter`
how_to_implement: |
    The detection is based on data that originates from Endpoint Detection
    and Response (EDR) agents. These agents are designed to provide security-related
    telemetry from the endpoints where the agent is installed.
    To implement this search, you must ingest logs that contain the process GUID, process name, and parent process.
    Additionally, you must ingest complete command-line executions.
    These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to
    the EDR product.
    The logs must also be mapped to the `Processes` node of the `Endpoint` data model.
    Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: |
    Administrators or third party utilities may use leverage certutil in order to add a root certificate to the store. Filter as needed or restrict to critical assets on the perimeter.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
    - https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools
    - https://unit42.paloaltonetworks.com/retefe-banking-trojan-targets-sweden-switzerland-and-japan/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A potentially suspicious certificate was added to the Root certificate store via Certutil on $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: parent_process_name
          type: parent_process_name
tags:
    analytic_story:
        - Secret Blizzard
    asset_type: Endpoint
    mitre_attack_id:
        - T1587.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog