What happened

{{ @file.path }} was created or modified by {{ @process.comm }}, potentially to subvert trust.

Goal

Detect potential tampering with SSL certificates.

Strategy

SSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.

Triage and response

1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.
2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.
3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
4. Find and repair the root cause of the exploit.

Requires Agent version 7.27 or greater