TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Bleeping Computer

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Lawrence Abrams · 2 days ago · Read original ↗

ATT&CK techniques detected

9 predictions
T1588.003Code Signing Certificates
98%
“was able to obtain these two pieces of information for a finite set of approved orders, they were able to obtain ev code signing certificates across a set of customer accounts and cas. " digicert says it revoked 60 code - signing certificates, including 27 linked to a " zhong ste…”
T1588.003Code Signing Certificates
94%
“. earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic, " microsoft told bleepingcomputer. " microsoft defender suppressed and cleaned up the alerts for customer environments. customers should update to security intelligence vers…”
T1588.003Code Signing Certificates
94%
“on x. " ev certificates from these companies were issued and used by a chinese crime group, # goldeneyedog ( # apt - q - 27 )! " the malware in this campaign is named " zhong stealer, " though analysis indicates it may be more like a remote access trojan ( rat ) than an infosteal…”
T1588.004Digital Certificates
64%
“microsoft defender wrongly flags digicert certs as trojan : win32 / cerdigent. a! dha update : added microsoft ' s statement to the end of the first section of this article. microsoft defender is detecting legitimate digicert root certificates as trojan : win32 / cerdigent. a! dh…”
T1587.004Exploits
50%
“- days into one exploit that bypassed both renderer and os sandboxes. a wave of new exploits is coming. at the autonomous validation summit ( may 12 & 14 ), see how autonomous, context - rich validation finds what ' s exploitable, proves controls hold, and closes the remediation …”
T1070Indicator Removal
44%
“##5e4 on impacted systems, these certificates were removed from the authroot store under this registry key : hklm \ software \ microsoft \ systemcertificates \ authroot \ certificates \ these false positives have led to concern among windows users, with some thinking their device…”
T1036.001Invalid Code Signature
37%
“microsoft defender wrongly flags digicert certs as trojan : win32 / cerdigent. a! dha update : added microsoft ' s statement to the end of the first section of this article. microsoft defender is detecting legitimate digicert root certificates as trojan : win32 / cerdigent. a! dh…”
T1588.003Code Signing Certificates
32%
“microsoft defender wrongly flags digicert certs as trojan : win32 / cerdigent. a! dha update : added microsoft ' s statement to the end of the first section of this article. microsoft defender is detecting legitimate digicert root certificates as trojan : win32 / cerdigent. a! dh…”
T1553.004Install Root Certificate
31%
“microsoft defender wrongly flags digicert certs as trojan : win32 / cerdigent. a! dha update : added microsoft ' s statement to the end of the first section of this article. microsoft defender is detecting legitimate digicert root certificates as trojan : win32 / cerdigent. a! dh…”

Summary

Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. [...]