Detection: Windows Certutil Root Certificate Addition

Updated Date: 2025-08-06 ID: e9926391-ec0c-4bad-8a95-e450dbf6aae4 Author: Teoderick Contreras, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the -addstore root command. In this case, the certificate is loaded from a temporary file path (e.g., %TEMP%), which is highly suspicious and uncommon in legitimate administrative activity. This behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls. The use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks. This should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications.You should monitor when new certificates are added to the root store because this store is what your system uses to decide which websites, apps, and software can be trusted. If an attacker manages to add their own certificate there, they can silently intercept encrypted traffic, impersonate trusted websites, or make malicious programs look safe. This means they could steal sensitive data, bypass security tools, and keep access to your system even after other malware is removed. In simple terms, adding a rogue root certificate gives attackers a master key to your trust system — and if it goes unnoticed, the impact could be a complete compromise of your security.

Search

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*-addstore* Processes.process=*root* by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
3| `drop_dm_object_name("Processes")` 
4| `security_content_ctime(firstTime)` 
5|`security_content_ctime(lastTime)` 
6| `windows_certutil_root_certificate_addition_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 1	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
process_certutil	`(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)`
windows_certutil_root_certificate_addition_filter	`search *`

windows_certutil_root_certificate_addition_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1587.003	Digital Certificates	Resource Development

Weaponization

DE.AE

CIS 10

PROMETHIUM

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

administrator may use certutil to add a root certificate to the store. Filter as needed or restrict to critical assets on the perimeter.

Associated Analytic Story

Secret Blizzard

Risk Based Analytics (RBA)

Risk Message:

A certificate was added to the Root certificate store by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	40	parent_process_name

References

https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1