DET0056: Detection Strategy for Subvert Trust Controls via Install Root Certificate.
This detection strategy is tied to ATT&CK technique T1553.004, Install Root Certificate, where an adversary may add a trusted root certificate so compromis...
Analyst context for executives and security teams
This detection strategy is tied to ATT&CK technique T1553.004, Install Root Certificate, where an adversary may add a trusted root certificate so compromised systems trust adversary-controlled TLS certificates without user warnings. For leaders, the practical issue is trust integrity: if root certificate stores are not governed and monitored, encrypted traffic, user assurance, and security inspection assumptions can be undermined.
Executive priority
Prioritize this as a trust-control and defense-impairment concern across Windows, macOS, and Linux environments where the related ATT&CK technique applies. Executives should ask whether certificate store changes are authorized, logged, reviewed, and explainable during an incident or audit. This is especially relevant to business continuity and compliance evidence because unauthorized root trust changes can weaken confidence in secure communications and complicate incident response scoping.
Technical view
The supplied detection strategy object does not include official detection logic, platforms, or tactics of its own. Its relationship to T1553.004 provides the validation focus: monitor and investigate root certificate installation or modification activity on Linux, macOS, and Windows, especially where it affects system or application trust stores. SOC and IR teams should verify whether they can distinguish approved enterprise certificate deployment from unexpected local trust changes and whether investigations can tie the change to a user, process, host, time, and change mechanism.
Likely telemetry
- Certificate store change events from operating systems and managed endpoints
- Endpoint process execution and command-line telemetry associated with certificate management utilities or configuration changes
- File and registry or configuration change telemetry for system and application trust stores, where applicable
- Device management, software deployment, and administrative change records showing authorized certificate rollout
- Authentication and privilege-use logs for accounts that changed certificate trust settings
Detection direction
- Validate that monitoring covers root certificate additions and modifications on the platforms relevant to the related technique: Linux, macOS, and Windows.
- Tune detections to separate sanctioned enterprise root certificate deployment from unexpected, local, or user-initiated changes.
- Correlate certificate store changes with process, user, host, privilege, and change-management context to reduce false positives.
- Pay attention to blind spots where application-specific trust stores are not covered by standard operating system certificate monitoring.
- Because the official detection field is not provided, treat this as a coverage-validation requirement rather than a ready-to-implement analytic.
Mitigation priorities
- Establish ownership and approval workflows for enterprise root certificate deployment and removal.
- Restrict administrative rights needed to modify system or application trust stores.
- Maintain an inventory or baseline of approved root certificates and review deviations.
- Ensure endpoint logging and change-management evidence can support incident response and audit questions.
- Include certificate trust-store review in IR procedures when defense impairment or suspicious TLS trust behavior is suspected.
Analyst notes and limits
This object is a MITRE ATT&CK detection strategy, DET0056, for detecting T1553.004 Install Root Certificate. The strategy object itself has no official description, detection text, tactics, or platforms. The practical guidance above is therefore derived from the supplied relationship to the ATT&CK technique and its provided description, tactic, and platforms.
No official detection logic, data sources, analytics, or mitigation text was supplied for DET0056. Local environment details are required to determine which certificate stores exist, how certificates are legitimately deployed, what telemetry is available, and what constitutes anomalous behavior.
Detection Strategy for Subvert Trust Controls via Install Root Certificate.
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.004 | Install Root Certificate Sub-technique | This object detects Install Root Certificate. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6662f99e696… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0056Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.