From 0a2deee8cb563a3b72c3633f1bb878d6e12c7883 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sat, 9 Aug 2025 04:32:18 +0000
Subject: [PATCH] feat(threat-hunting): Root certificate installation

---
 source/threat-hunting/index.md                      |  1 +
 .../threat-hunting/root-certificate-installation.md | 13 +++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 source/threat-hunting/root-certificate-installation.md

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 44976d8..747423a 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -99,6 +99,7 @@ updated: 2025-08-09
 - [Remote Desktop tool scheduled task](remote-desktop-tool-scheduled-task)
 - [RestartManager abuse](restartmanager-abuse)
 - [Restricted Admin Mode Detection](restricted-admin-mode-detection)
+- [Root certificate installation](root-certificate-installation)
 - [Rundll32 Dumping LSASS Memory](rundll32-dumping-lsass-memory)
 - [Rundll32 Scheduled Task](rundll32-scheduled-task)
 - [SIDHistory compromise](sidhistory-compromise)
diff --git a/source/threat-hunting/root-certificate-installation.md b/source/threat-hunting/root-certificate-installation.md
new file mode 100644
index 0000000..d438095
--- /dev/null
+++ b/source/threat-hunting/root-certificate-installation.md
@@ -0,0 +1,13 @@
+---
+title: Root certificate installation
+layout: page
+date: 2025-08-09
+---
+
+References: [1](https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/#elevated-privilege-execution)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="certutil.exe" Processes.process="*addstore*" Processes.process="*root*" BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```