feat(threat-hunting): Root certificate installation

2025-08-09 04:32:18 +00:00 · 2025-08-09 04:32:18 +00:00 · 0a2deee8cb
parent 830aea5f11
commit 0a2deee8cb
2 changed files with 14 additions and 0 deletions
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@ -99,6 +99,7 @@ updated: 2025-08-09
 - [Remote Desktop tool scheduled task](remote-desktop-tool-scheduled-task)
 - [RestartManager abuse](restartmanager-abuse)
 - [Restricted Admin Mode Detection](restricted-admin-mode-detection)
+- [Root certificate installation](root-certificate-installation)
 - [Rundll32 Dumping LSASS Memory](rundll32-dumping-lsass-memory)
 - [Rundll32 Scheduled Task](rundll32-scheduled-task)
 - [SIDHistory compromise](sidhistory-compromise)
--- a/source/threat-hunting/root-certificate-installation.md
+++ b/source/threat-hunting/root-certificate-installation.md
@ -0,0 +1,13 @@
+---
+title: Root certificate installation
+layout: page
+date: 2025-08-09
+---
+
+References: [1](https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/#elevated-privilege-execution)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="certutil.exe" Processes.process="*addstore*" Processes.process="*root*" BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```