Skip to content
Last update: 2022-05-10

T1553.004 Install Root Certificate

T1553.004

Required Tables

  • file_events
  • process_events

Returned Fields

Field Description
file_events.* all fields from the file_events table

Query

SELECT
    *
FROM file_events
LEFT JOIN process_events
    ON file_events.process_uuid = process_events.process_uuid
WHERE
    process_events.event_type = 0
    AND process_events.path NOT IN (
        '/usr/bin/trust',
        '/usr/bin/apt', 
        '/usr/bin/yum', 
        '/usr/bin/dpkg', 
        '/usr/sbin/dpkg-preconfigure'
) AND (
    file_events.path LIKE '/etc/ca-certificates%' 
    OR file_events.path LIKE '/usr/local/share/ca-certificates%' 
    OR file_events.path LIKE '/etc/pki/ca-trust/%' 
    OR file_events.path LIKE '/etc/pki/tls/certs/ca-bundle%' 
    OR regexp_like(file_events.path, '/.+/.pki/.+') 
    OR file_events.path LIKE '/etc/ssl/certs/%'
)
Back to top