TH16112
Detected presence of software components that can tamper with the system certificate stores.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. System certificate stores are databases that define the chain of trust for a machine. These databases control the list of websites the machine can securely connect to, and the list of applications that the operating system implicitly trusts. For that reason, attackers often abuse system certificate stores to ensure their malicious code executes without being detected by security solutions. While the presence of code that tampers with system certificate stores does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that interact with system certificate stores. One example of acceptable use for such functions is adding publisher certificates to the system trust store during software installation.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1553.004 - Install Root Certificate Subvert.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1553.004 - Install Root Certificate Subvert (External resource - Mitre ATT&CK documentation)
- Certificate Stores (External resource - Microsoft)