T1553.004 Install Root Certificate

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)

In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1553.004 Install Root Certificate
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1553.004 Install Root Certificate
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1553.004 Install Root Certificate
      Comments
      This diagnostic statement provides protection from Subvert Trust Controls: Install Root Certificate through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including Windows Group Policy or Key Pinning and integrity checking can help protect against adversaries attempting to compromise and modify certificate configurations.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CM-06 Configuration Settings mitigates T1553.004 Install Root Certificate
        IA-09 Service Identification and Authentication mitigates T1553.004 Install Root Certificate
        CM-10 Software Usage Restrictions mitigates T1553.004 Install Root Certificate
        SC-20 Secure Name/Address Resolution Service (Authoritative Source) mitigates T1553.004 Install Root Certificate
        CM-07 Least Functionality mitigates T1553.004 Install Root Certificate
        SI-04 System Monitoring mitigates T1553.004 Install Root Certificate

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.004 Install Root Certificate

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1553.004 Install Root Certificate
        Comments
        This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.
        References
        azure_dedicated_hsm Azure Dedicated HSM technique_scores T1553.004 Install Root Certificate
        Comments
        Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
        References

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        aws_cloudhsm AWS CloudHSM technique_scores T1553.004 Install Root Certificate
        Comments
        Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.
        References