mattifestation · December 22, 2017 15:27
diff --git a/RootCAInstallationDetection.xml b/RootCAInstallationDetection.xml
 <Sysmon schemaversion="3.4">
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
    <RegistryEvent onmatch="include">
      <!-- LocalMachine or CurrentUser ROOT certificate installation -->
      <!-- Reference: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx -->
      <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates\</TargetObject>
      <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\</TargetObject>
      <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</TargetObject>
      <!-- LocalMachine or CurrentUser CA certificate installation -->
      <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\CA\Certificates\</TargetObject>
      <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\</TargetObject>
      <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\</TargetObject>
      <!-- LocalMachine or CurrentUser AuthRoot certificate installation -->
      <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\</TargetObject>
      <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\</TargetObject>
      <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\</TargetObject>
    </RegistryEvent>
  </EventFiltering>
 </Sysmon>
	<Sysmon schemaversion="3.4">
	<HashAlgorithms>*</HashAlgorithms>
	<EventFiltering>
	<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
	<RegistryEvent onmatch="include">
	<!-- LocalMachine or CurrentUser ROOT certificate installation -->
	<!-- Reference: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx -->
	<TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates\</TargetObject>
	<TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\</TargetObject>
	<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</TargetObject>
	<!-- LocalMachine or CurrentUser CA certificate installation -->
	<TargetObject condition="contains">\Software\Microsoft\SystemCertificates\CA\Certificates\</TargetObject>
	<TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\</TargetObject>
	<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\</TargetObject>
	<!-- LocalMachine or CurrentUser AuthRoot certificate installation -->
	<TargetObject condition="contains">\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\</TargetObject>
	<TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\</TargetObject>
	<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\</TargetObject>
	</RegistryEvent>
	</EventFiltering>
	</Sysmon>