Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0154: Analytic 0154

Detection of unexpected additions or modifications to system-wide certificate stores or execution of commands adding certificates to trusted stores.

EnterpriseAN0154AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting unexpected changes to Linux system-wide trusted certificate stores. For leaders, the practical issue is trust: if unauthorized certificates are added or modified, systems may begin trusting traffic, software, or services they should not. That can affect secure communications, investigation confidence, and compliance evidence around certificate and trust-store governance.

Executive priority

Prioritize this where Linux systems support critical applications, administrative infrastructure, or regulated workloads. The key business question is whether the organization can prove that changes to trusted certificate stores are authorized, traceable, and reviewed. This is a useful control-validation area for security operations, incident response readiness, change management, and audit evidence because certificate trust changes can be quiet, persistent, and hard to interpret after the fact without reliable logs.

Technical view

For SOC and detection engineering teams, validate visibility into Linux certificate store file changes and command execution that adds certificates to trusted stores. Because ATT&CK supplies no tactic mapping, relationship context, or detailed detection logic for this analytic, implementation should focus on environment-specific baselining: identify approved certificate management tools, package manager activity, configuration management runs, administrative maintenance windows, and expected certificate paths. Alerts should distinguish authorized enterprise CA deployment from unexpected direct modification or command-line activity.

Likely telemetry

  • Linux file integrity or file modification events for system-wide certificate store locations
  • Linux process execution telemetry for commands that add or update trusted certificates
  • User, sudo, or privilege-escalation context associated with certificate-store changes
  • Package manager and configuration management logs that may legitimately update certificate stores
  • Change management or administrative approval records for trusted certificate additions

Detection direction

  • Validate that Linux endpoint telemetry captures both file changes and process execution related to trusted certificate store updates.
  • Baseline expected certificate-store modifications from operating system updates, package installs, enterprise CA rollout, and configuration management to reduce false positives.
  • Prioritize alerts where certificate changes occur outside approved maintenance windows, outside known management tooling, or under unusual user context.
  • Correlate certificate-store changes with administrative authentication, sudo activity, and change tickets where available.
  • Document blind spots: systems without endpoint logging, short log retention, containerized or ephemeral Linux hosts, and certificate updates performed by trusted automation may limit investigation quality.

Mitigation priorities

  • Establish ownership and change-control requirements for system-wide trusted certificate stores on Linux systems.
  • Restrict administrative ability to modify trusted certificate stores to approved roles and managed automation.
  • Use configuration management or integrity monitoring to maintain expected certificate-store state where operationally feasible.
  • Ensure incident response playbooks include review of trusted certificate stores when investigating suspicious trust, proxy, or secure-communications anomalies.
  • Retain sufficient endpoint, process, and change-management evidence to support audit and post-incident review.
Analyst notes and limits

This is a detection analytic object, not a full technique description. The supplied ATT&CK fields only state that it applies to Linux and concerns unexpected additions or modifications to system-wide certificate stores or commands adding certificates to trusted stores. No official detection logic, tactics, mitigations, relationships, or procedure examples were supplied, so local engineering must define paths, tools, baselines, and thresholds.

No relationship context, tactic mapping, procedure examples, or official detection details were provided. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Applicability depends on the organization’s Linux estate, logging depth, certificate-management practices, and change-control maturity.

Official MITRE ATT&CK definition

Analytic 0154

Detection of unexpected additions or modifications to system-wide certificate stores or execution of commands adding certificates to trusted stores.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6f783503dc75052f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6f783503dc75…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0154
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use