/RootCAInstallationDetection.xml
Last active Dec 22, 2017
| <Sysmon schemaversion="3.4"> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. --> | |
| <RegistryEvent onmatch="include"> | |
| <!-- LocalMachine or CurrentUser ROOT certificate installation --> | |
| <!-- Reference: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx --> | |
| <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
| <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</TargetObject> | |
| <!-- LocalMachine or CurrentUser CA certificate installation --> | |
| <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\CA\Certificates\</TargetObject> | |
| <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\</TargetObject> | |
| <!-- LocalMachine or CurrentUser AuthRoot certificate installation --> | |
| <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\</TargetObject> | |
| <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\</TargetObject> | |
| </RegistryEvent> | |
| </EventFiltering> | |
| </Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment