1. Home
  2. Data Sources
  3. Certificate

Certificate

A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications

ID: DS0037
Platform: PRE
Collection Layer: OSINT
Version: 1.0
Created: 20 October 2021
Last Modified: 25 April 2025
Version Permalink

Data Components

Certificate: Certificate Registration

Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates. Sources such as Certificate Transparency logs and other public resources provide visibility into certificates issued for specific domains or organizations. Monitoring certificate registrations can help identify potential misuse, such as unauthorized certificates or signs of adversary reconnaissance. Examples:

  • Certificate Transparency Logs: These logs record the issuance of SSL/TLS certificates by trusted Certificate Authorities (CAs).
  • Revoked Certificates: Information about certificates that have been invalidated before their expiration date.
  • Expired Certificates: Reports of expired certificates for a domain, which may indicate lax security practices or opportunities for adversaries to exploit expired credentials.
  • Domain Monitoring for Certificates: Maps SSL/TLS certificates to domains and subdomains, helping to identify any rogue certificates.
  • Public Certificate Directories: Services providing APIs to query issued certificates for analysis.

This data component can be collected through the following measures:

Use Certificate Transparency Monitors

  • Tools like crt.sh, CertStream, or APIs provided by certificate authorities (CAs) allow you to monitor issued certificates in real-time.
  • Example: Use CertStream to stream certificate issuance logs and filter for domains of interest.

Analyze Certificate Revocation Sources

  • Monitor CRLs or query OCSP responders to detect revoked certificates.
  • Configure tools like OpenSSL or browsers to validate certificate revocation status automatically.

Leverage Public Scanning Tools

  • Use tools such as SSL Labs, Censys, or Shodan to scan for certificate details related to your domain or network.

Automate Certificate Monitoring

  • Set up automated scripts or services to parse Certificate Transparency logs for anomalies.
  • Example: Automate searches on crt.sh to identify certificates issued for typo-squatted domains.

Integrate with Threat Intelligence

  • Enrich certificate data with threat intelligence feeds to detect connections to known adversary-controlled infrastructure.
  • Tools like VirusTotal can identify malicious certificates based on associated indicators.

Certificate: Certificate Registration

Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates. Sources such as Certificate Transparency logs and other public resources provide visibility into certificates issued for specific domains or organizations. Monitoring certificate registrations can help identify potential misuse, such as unauthorized certificates or signs of adversary reconnaissance. Examples:

  • Certificate Transparency Logs: These logs record the issuance of SSL/TLS certificates by trusted Certificate Authorities (CAs).
  • Revoked Certificates: Information about certificates that have been invalidated before their expiration date.
  • Expired Certificates: Reports of expired certificates for a domain, which may indicate lax security practices or opportunities for adversaries to exploit expired credentials.
  • Domain Monitoring for Certificates: Maps SSL/TLS certificates to domains and subdomains, helping to identify any rogue certificates.
  • Public Certificate Directories: Services providing APIs to query issued certificates for analysis.

This data component can be collected through the following measures:

Use Certificate Transparency Monitors

  • Tools like crt.sh, CertStream, or APIs provided by certificate authorities (CAs) allow you to monitor issued certificates in real-time.
  • Example: Use CertStream to stream certificate issuance logs and filter for domains of interest.

Analyze Certificate Revocation Sources

  • Monitor CRLs or query OCSP responders to detect revoked certificates.
  • Configure tools like OpenSSL or browsers to validate certificate revocation status automatically.

Leverage Public Scanning Tools

  • Use tools such as SSL Labs, Censys, or Shodan to scan for certificate details related to your domain or network.

Automate Certificate Monitoring

  • Set up automated scripts or services to parse Certificate Transparency logs for anomalies.
  • Example: Automate searches on crt.sh to identify certificates issued for typo-squatted domains.

Integrate with Threat Intelligence

  • Enrich certificate data with threat intelligence feeds to detect connections to known adversary-controlled infrastructure.
  • Tools like VirusTotal can identify malicious certificates based on associated indicators.
Domain ID Name Detects
Enterprise T1588 Obtain Capabilities

Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Some server-side components of adversary tools may have default values set for SSL/TLS certificates.[2] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
.004 Digital Certificates

Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Some server-side components of adversary tools may have default values set for SSL/TLS certificates.[2]

References

  1. Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.
  1. Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved September 16, 2024.