Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Some server-side components of adversary tools may have default values set for SSL/TLS certificates.[2]
Monitor for logged network traffic in response to a scan showing both protocol header and body values that may buy and/or steal SSL/TLS certificates that can be used during targeting. Detection efforts may be focused on related behaviors, such as Web Protocols, Asymmetric Cryptography, and/or Install Root Certificate.
| Data Component | Name | Channel |
|---|---|---|
| Certificate Registration (DC0093) | Certificate | None |
| Response Content (DC0104) | Internet Scan | None |