AN0155: Analytic 0155
Detection of malicious certificate installation via monitoring execution of the `security add-trusted-cert` command and modifications to system keychains.
Analyst context for executives and security teams
This analytic matters because unauthorized trusted certificate installation on macOS can weaken an organization’s trust model. If a malicious or unapproved certificate is added to system keychains, security teams may lose confidence in encrypted traffic inspection, endpoint trust decisions, and evidence used during investigations. For leaders, the key question is whether the organization can prove when trusted certificates change on managed Macs and whether those changes are authorized.
Executive priority
Treat this as a control-validation item for macOS endpoint governance and incident readiness. Executives and security leaders should ask whether certificate trust changes are monitored, whether exceptions are documented, and whether SOC or IR teams can quickly distinguish approved enterprise certificate deployment from suspicious use of the `security add-trusted-cert` command. This supports audit evidence, endpoint hardening, and faster incident decision-making when certificate trust is in question.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into execution of `security add-trusted-cert` on macOS and modifications to system keychains. Because no official ATT&CK detection logic is supplied, teams should build or review local analytics around process execution, command-line arguments, user context, parent process, timestamp, host identity, and keychain modification evidence. Triage should focus on whether the certificate addition matches approved administration, device management, or security tooling activity.
Likely telemetry
- macOS process execution telemetry for the `security` command
- Command-line arguments showing `add-trusted-cert` usage
- File or system events indicating modifications to system keychains
- Endpoint user, host, and privilege context associated with the change
- Change-management or device-management records for approved certificate deployment
Detection direction
- Validate that macOS endpoints actually collect command-line and process execution data for certificate-management commands.
- Alert or hunt for `security add-trusted-cert` executions, then tune against known authorized administrative and management workflows.
- Correlate command execution with system keychain modification events to reduce weak single-signal detections.
- Include user context, parent process, and host ownership in triage to separate routine enterprise certificate deployment from anomalous activity.
- Document blind spots where unmanaged Macs, limited endpoint logging, or missing command-line capture prevent reliable coverage.
Mitigation priorities
- Maintain an approved inventory or process for trusted certificate deployment on macOS.
- Restrict administrative ability to modify system keychains according to least-privilege principles.
- Use managed endpoint configuration or change-control processes where certificate trust changes are required.
- Review certificate trust changes during incident response when macOS traffic interception, identity trust, or endpoint integrity is in scope.
- Preserve evidence of authorized certificate changes for compliance and audit readiness.
Analyst notes and limits
ATT&CK provides this as a macOS detection analytic focused on monitoring `security add-trusted-cert` and system keychain modifications. No tactic mapping, relationship context, aliases, or official detection logic were supplied, so this take emphasizes practical validation and governance rather than a specific rule implementation.
This assessment is limited to the supplied ATT&CK analytic fields and external reference. It does not establish active exploitation, attribution, business impact, or existing detection coverage. Local endpoint telemetry, administrative workflows, and certificate-management processes are required to determine risk and tuning.
Analytic 0155
Detection of malicious certificate installation via monitoring execution of the `security add-trusted-cert` command and modifications to system keychains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f55e96b92a13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0155Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.