T1553.004 Install Root Certificate
T1553.004
Required Tables
- file_events
- process_events
Returned Fields
Field | Description |
file_events.* | all fields from the file_events table |
Query
SELECT
*
FROM file_events
LEFT JOIN process_events
ON file_events.process_uuid = process_events.process_uuid
WHERE
process_events.event_type = 0
AND process_events.path NOT IN (
'/usr/bin/trust',
'/usr/bin/apt',
'/usr/bin/yum',
'/usr/bin/dpkg',
'/usr/sbin/dpkg-preconfigure'
) AND (
file_events.path LIKE '/etc/ca-certificates%'
OR file_events.path LIKE '/usr/local/share/ca-certificates%'
OR file_events.path LIKE '/etc/pki/ca-trust/%'
OR file_events.path LIKE '/etc/pki/tls/certs/ca-bundle%'
OR regexp_like(file_events.path, '/.+/.pki/.+')
OR file_events.path LIKE '/etc/ssl/certs/%'
)