T1553.004 Install Root Certificate

T1553.004

Required Tables

• file_events
• process_events

Returned Fields

Query

SELECT
	*
FROM file_events
LEFT JOIN process_events
	ON file_events.process_c8id = process_events.process_c8id
WHERE
	process_events.event_type = 0
	AND process_events.path NOT IN (
		'/usr/bin/trust',
		'/usr/bin/apt', 
		'/usr/bin/yum', 
		'/usr/bin/dpkg', 
		'/usr/sbin/dpkg-preconfigure'
) AND (
	file_events.path LIKE '/etc/ca-certificates%' 
	OR file_events.path LIKE '/usr/local/share/ca-certificates%' 
	OR file_events.path LIKE '/etc/pki/ca-trust/%' 
	OR file_events.path LIKE '/etc/pki/tls/certs/ca-bundle%' 
	OR regexp_like(file_events.path, '/.+/.pki/.+') 
	OR file_events.path LIKE '/etc/ssl/certs/%'
)