T1587.003

Digital Certificates

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust and include key information, owner identity, and a digital signature from a verifying entity. In the case of self-signing, these certificates lack third-party CA trust but remain functional for encrypting traffic. Adversaries create self-signed certificates to encrypt C2 communications (as seen with APT29/WellMess using mutual TLS authentication), to enable adversary-in-the-middle attacks if installed as a trusted root certificate, or to impersonate legitimate services. PROMETHIUM used self-signed certificates for HTTPS C2, Gamaredon Group reused the same TLS certificate across infrastructure clusters, and Storm-0501 spoofed a 'Microsoft IT TLS CA 5' self-signed certificate. Detection must focus on observable side-effects: certificate generation tool execution on compromised hosts, suspicious certificate store modifications, and network TLS connections bearing anomalous certificate properties.

Microsoft Sentinel / Defender

kusto

// T1587.003 — Self-Signed Certificate Creation and Suspicious Certificate Operations
// Branch 1: Known certificate generation tool execution
let CertGenTools = dynamic(["openssl.exe", "openssl", "makecert.exe", "pvk2pfx.exe", "certmgr.exe"]);
let OpenSSLCertPatterns = dynamic(["req -new", "x509 -req", "genrsa", "genpkey", "pkcs12 -export", "-newkey rsa", "-newkey ec", "req -x509", "gencert", "-selfsign"]);
let CertToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (CertGenTools)
   or (FileName =~ "openssl" and ProcessCommandLine has_any (OpenSSLCertPatterns))
| extend DetectionBranch = "CertGenToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: PowerShell certificate creation via .NET or cmdlet
let PSCertPatterns = dynamic(["New-SelfSignedCertificate", "X509Certificate2", "System.Security.Cryptography.X509Certificates", "CertificateRequest", "RSACryptoServiceProvider", "ECDsaCng"]);
let PSCertCreate = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PSCertPatterns)
| extend DetectionBranch = "PSCertificateCreation"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: certutil certificate import/store modification
let CertUtilImportPatterns = dynamic(["-addstore", "-addrepo", "-MergePFX", "-importpfx", "-p12", "-importcert"]);
let CertStorePaths = dynamic(["Root", "AuthRoot", "TrustedPublisher", "TrustedPeople", "CA"]);
let CertUtilOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any (CertUtilImportPatterns)
| extend TargetsRootStore = ProcessCommandLine has_any (CertStorePaths)
| extend DetectionBranch = "CertUtilStoreImport"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, TargetsRootStore;
// Branch 4: .pfx/.pem/.cer file creation in suspicious locations
let SuspiciousCertPaths = dynamic(["\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\", "\\ProgramData\\", "\\Windows\\Temp\\"]);
let CertFileCreate = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pfx" or FileName endswith ".pem" or FileName endswith ".cer" or FileName endswith ".crt" or FileName endswith ".p12" or FileName endswith ".key"
| where FolderPath has_any (SuspiciousCertPaths)
| extend DetectionBranch = "SuspiciousCertFileCreation"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, FileName = FileName,
         ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
union CertToolExec, PSCertCreate, CertUtilOps, CertFileCreate
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Development teams using openssl or New-SelfSignedCertificate to generate local development HTTPS certificates for localhost testing
PKI administrators and IT operations staff managing internal certificate authority infrastructure and importing trusted root certificates from enterprise CAs
DevOps pipelines (Jenkins, GitLab CI, GitHub Actions runners on Windows) that generate ephemeral self-signed certificates for containerized test environments
Security penetration testers and red team operators running authorized exercises involving certificate-based C2 simulation
Web server configuration scripts (IIS setup, Nginx automation) that auto-generate self-signed certificates during initial service configuration
Monitoring and observability agents (Datadog, Elastic Agent) that manage their own TLS certificates for encrypted data shipping

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval lower_image=lower(Image)
| eval lower_cmdline=lower(CommandLine)
| eval lower_parent=lower(ParentImage)
| eval IsCertGenTool=if(match(lower_image, "(openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe)"), 1, 0)
| eval IsCertGenArgs=if(IsCertGenTool=1 AND match(lower_cmdline, "(req -new|x509 -req|genrsa|genpkey|pkcs12 -export|-newkey rsa|-newkey ec|req -x509|-selfsign)"), 1, 0)
| eval IsPSCertCreate=if(match(lower_image, "(powershell\.exe|pwsh\.exe)") AND match(lower_cmdline, "(new-selfsignedcertificate|x509certificate2|system\.security\.cryptography\.x509|certificaterequest|rsacryptoserviceprovider)"), 1, 0)
| eval IsCertUtilImport=if(match(lower_image, "certutil\.exe") AND match(lower_cmdline, "(-addstore|-addrepo|-mergepfx|-importpfx|-p12|-importcert)"), 1, 0)
| eval TargetsRootStore=if(IsCertUtilImport=1 AND match(lower_cmdline, "(root|authroot|trustedpublisher|trustedpeople)"), 1, 0)
| eval IsLolBinCert=if(match(lower_image, "(wmic\.exe|mshta\.exe|wscript\.exe|cscript\.exe)") AND match(lower_cmdline, "(certificate|certutil|pfx|openssl)"), 1, 0)
| eval DetectionBranch=case(
    IsCertGenArgs=1, "CertGenToolWithArgs",
    IsCertGenTool=1 AND IsCertGenArgs=0, "CertGenToolExecution",
    IsPSCertCreate=1, "PSCertificateCreation",
    TargetsRootStore=1, "RootCertStoreModification",
    IsCertUtilImport=1, "CertUtilImport",
    IsLolBinCert=1, "LOLBinCertOperation",
    true(), null())
| where isnotnull(DetectionBranch)
| eval SuspicionScore=IsCertGenArgs + IsPSCertCreate + IsCertUtilImport + TargetsRootStore + IsLolBinCert
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, TargetsRootStore, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Development teams using openssl or New-SelfSignedCertificate to generate local development HTTPS certificates for localhost testing
PKI administrators and IT operations staff managing internal certificate authority infrastructure and importing trusted root certificates from enterprise CAs
DevOps pipelines running on Windows build agents that generate ephemeral self-signed certificates for containerized test environments
Security penetration testers and red team operators running authorized exercises involving certificate-based C2 simulation
Web server automation scripts that auto-generate self-signed certificates during IIS or Nginx initial configuration

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start"
    and (
      (
        process.name : ("openssl.exe", "openssl", "makecert.exe", "pvk2pfx.exe", "certmgr.exe")
        and process.command_line : ("* req -new*", "* x509 -req*", "* genrsa*", "* genpkey*", "* pkcs12 -export*", "* -newkey rsa*", "* -newkey ec*", "* req -x509*", "* -selfsign*")
      )
      or
      (
        process.name : ("powershell.exe", "pwsh.exe")
        and process.command_line : ("*New-SelfSignedCertificate*", "*X509Certificate2*", "*System.Security.Cryptography.X509Certificates*", "*CertificateRequest*", "*RSACryptoServiceProvider*", "*ECDsaCng*")
      )
      or
      (
        process.name : "certutil.exe"
        and process.command_line : ("*-addstore*", "*-addrepo*", "*-MergePFX*", "*-importpfx*", "*-p12*", "*-importcert*")
      )
      or
      (
        process.name : ("openssl.exe", "openssl", "makecert.exe", "pvk2pfx.exe", "certmgr.exe")
        and not process.command_line : ("* req -new*", "* x509 -req*", "* genrsa*", "* genpkey*", "* pkcs12 -export*", "* -newkey rsa*", "* -newkey ec*", "* req -x509*", "* -selfsign*")
      )
    )
  )
  or
  (
    event.category == "file" and event.type == "creation"
    and file.extension : ("pfx", "pem", "cer", "crt", "p12", "key")
    and file.path : ("*\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent (Endpoint integration) Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate PKI administrators or DevOps engineers using openssl or New-SelfSignedCertificate to generate test or internal-service certificates as part of authorized infrastructure provisioning workflows
Enterprise certificate lifecycle management software such as Venafi or DigiCert CertCentral agents that invoke certutil to deploy, renew, or revoke certificates on managed endpoints
Software packaging and code-signing pipelines where pvk2pfx.exe or makecert.exe are invoked by build automation (e.g., MSBuild, Azure DevOps) to sign application binaries or installers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Path" AS process_image,
  "Process CommandLine" AS command_line,
  CASE
    WHEN LOWER("Process Path") LIKE '%openssl%'
         AND (LOWER("Process CommandLine") LIKE '%req -new%'
              OR LOWER("Process CommandLine") LIKE '%x509 -req%'
              OR LOWER("Process CommandLine") LIKE '%genrsa%'
              OR LOWER("Process CommandLine") LIKE '%genpkey%'
              OR LOWER("Process CommandLine") LIKE '%-newkey rsa%'
              OR LOWER("Process CommandLine") LIKE '%-newkey ec%'
              OR LOWER("Process CommandLine") LIKE '%req -x509%'
              OR LOWER("Process CommandLine") LIKE '%-selfsign%')
    THEN 'CertGenToolWithArgs'
    WHEN (LOWER("Process Path") LIKE '%powershell.exe%' OR LOWER("Process Path") LIKE '%pwsh.exe%')
         AND (LOWER("Process CommandLine") LIKE '%new-selfsignedcertificate%'
              OR LOWER("Process CommandLine") LIKE '%x509certificate2%'
              OR LOWER("Process CommandLine") LIKE '%system.security.cryptography.x509%'
              OR LOWER("Process CommandLine") LIKE '%certificaterequest%'
              OR LOWER("Process CommandLine") LIKE '%rsacryptoserviceprovider%'
              OR LOWER("Process CommandLine") LIKE '%ecdsacng%')
    THEN 'PSCertificateCreation'
    WHEN LOWER("Process Path") LIKE '%certutil.exe%'
         AND (LOWER("Process CommandLine") LIKE '%-addstore%'
              OR LOWER("Process CommandLine") LIKE '%-addrepo%'
              OR LOWER("Process CommandLine") LIKE '%-mergepfx%'
              OR LOWER("Process CommandLine") LIKE '%-importpfx%'
              OR LOWER("Process CommandLine") LIKE '%-importcert%')
    THEN 'CertUtilStoreImport'
    WHEN LOWER("Process Path") LIKE '%makecert.exe%'
         OR LOWER("Process Path") LIKE '%pvk2pfx.exe%'
    THEN 'CertGenToolExecution'
    ELSE 'SuspiciousCertOperation'
  END AS detection_branch,
  CASE
    WHEN LOWER("Process CommandLine") LIKE '%authroot%'
         OR LOWER("Process CommandLine") LIKE '%trustedpublisher%'
         OR LOWER("Process CommandLine") LIKE '%trustedpeople%'
    THEN 'true'
    ELSE 'false'
  END AS targets_root_store
FROM events
WHERE LOGSOURCETIME > NOW() - 1 DAYS
  AND (
    LOWER("Process Path") LIKE '%openssl%'
    OR LOWER("Process Path") LIKE '%makecert.exe%'
    OR LOWER("Process Path") LIKE '%pvk2pfx.exe%'
    OR LOWER("Process Path") LIKE '%certmgr.exe%'
    OR (
      (LOWER("Process Path") LIKE '%powershell.exe%' OR LOWER("Process Path") LIKE '%pwsh.exe%')
      AND (
        LOWER("Process CommandLine") LIKE '%new-selfsignedcertificate%'
        OR LOWER("Process CommandLine") LIKE '%x509certificate2%'
        OR LOWER("Process CommandLine") LIKE '%certificaterequest%'
        OR LOWER("Process CommandLine") LIKE '%rsacryptoserviceprovider%'
        OR LOWER("Process CommandLine") LIKE '%ecdsacng%'
      )
    )
    OR (
      LOWER("Process Path") LIKE '%certutil.exe%'
      AND (
        LOWER("Process CommandLine") LIKE '%-addstore%'
        OR LOWER("Process CommandLine") LIKE '%-mergepfx%'
        OR LOWER("Process CommandLine") LIKE '%-importpfx%'
        OR LOWER("Process CommandLine") LIKE '%-importcert%'
      )
    )
  )
ORDER BY starttime DESC
LAST 1 DAYS

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM (Event ID 4688) Sysmon for Windows DSM (Event ID 1)

Required Tables

events

False Positives

Authorized IT administrators running certutil to import corporate CA root certificates during domain computer provisioning or group policy certificate distribution — especially common in managed enterprise environments
CI/CD build agents (Jenkins, Azure DevOps, TeamCity, GitHub Actions self-hosted runners) that invoke openssl or New-SelfSignedCertificate during test environment certificate provisioning on build servers
Third-party remote monitoring and management (RMM) platforms such as ConnectWise Automate or Datto RMM that use certutil internally to deploy endpoint certificates as part of managed service operations

Sumo Logic CSE

sql

_index=sec_record_process
| where (
    (
      matches(toLowerCase(baseImage), /openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe|certmgr\.exe/)
      and matches(toLowerCase(commandLine), /req -new|x509 -req|genrsa|genpkey|pkcs12 -export|-newkey rsa|-newkey ec|req -x509|-selfsign/)
    )
    or (
      matches(toLowerCase(baseImage), /powershell\.exe|pwsh\.exe/)
      and matches(toLowerCase(commandLine), /new-selfsignedcertificate|x509certificate2|system\.security\.cryptography\.x509certificates|certificaterequest|rsacryptoserviceprovider|ecdsacng/)
    )
    or (
      matches(toLowerCase(baseImage), /certutil\.exe/)
      and matches(toLowerCase(commandLine), /-addstore|-addrepo|-mergepfx|-importpfx|-p12|-importcert/)
    )
    or (
      matches(toLowerCase(baseImage), /openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe|certmgr\.exe/)
      and not matches(toLowerCase(commandLine), /req -new|x509 -req|genrsa|genpkey|pkcs12 -export|-newkey rsa|-newkey ec|req -x509|-selfsign/)
    )
  )
| if (matches(toLowerCase(baseImage), /openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe/) and matches(toLowerCase(commandLine), /req -new|x509 -req|genrsa|genpkey|-newkey/), "CertGenToolWithArgs",
    if (matches(toLowerCase(baseImage), /powershell\.exe|pwsh\.exe/), "PSCertificateCreation",
      if (matches(toLowerCase(baseImage), /certutil\.exe/) and matches(toLowerCase(commandLine), /-addstore|-addrepo|-mergepfx|-importpfx|-importcert/), "CertUtilStoreImport",
        "CertGenToolExecution"))) as detectionBranch
| if (matches(toLowerCase(commandLine), /authroot|trustedpublisher|trustedpeople/), "true", "false") as targetsRootStore
| fields _messagetime, device_hostname, user_username, baseImage, commandLine, parentBaseImage, detectionBranch, targetsRootStore
| sort by _messagetime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) Windows Endpoint via Sumo Logic Installed Collector Sysmon via Sumo Logic Windows Collector with process event normalization

Required Tables

sec_record_process

False Positives

Help desk or endpoint management staff using certutil to push corporate root CA certificates to end-user machines as part of standard certificate deployment procedures or Active Directory Certificate Services enrollment
Local development workflows where developers run openssl req -x509 to generate self-signed certificates for running HTTPS locally (e.g., localhost TLS for web application development or Docker container services)
Automated certificate renewal agents (win-acme, Certify The Web, Posh-ACME) that call PowerShell certificate cmdlets or certutil on a recurring schedule to renew and import ACME-issued certificates

Google Chronicle / SecOps

yaral

rule t1587_003_self_signed_certificate_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects self-signed certificate creation via cert generation tools, PowerShell .NET crypto APIs, and certutil root store manipulation — MITRE T1587.003"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1587.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)(openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe|certmgr\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(req[\s]+-new|x509[\s]+-req|genrsa|genpkey|pkcs12[\s]+-export|-newkey[\s]+rsa|-newkey[\s]+ec|req[\s]+-x509|-selfsign)`)
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(New-SelfSignedCertificate|X509Certificate2|System\.Security\.Cryptography\.X509Certificates|CertificateRequest|RSACryptoServiceProvider|ECDsaCng)`)
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(-addstore|-addrepo|-MergePFX|-importpfx|-p12|-importcert)`)
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)(openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe|certmgr\.exe)$`)
        and not re.regex($e.target.process.command_line, `(?i)(req[\s]+-new|x509[\s]+-req|genrsa|genpkey|pkcs12[\s]+-export|-newkey[\s]+rsa|-newkey[\s]+ec|req[\s]+-x509|-selfsign)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Endpoint via Chronicle Forwarder Agent Sysmon events ingested and normalized into Chronicle UDM

Required Tables

PROCESS_LAUNCH UDM events

False Positives

System administrators using openssl or makecert.exe to generate SSL certificates for internal web services, development servers, or homelab environments during authorized change windows
Enterprise software installers that bundle and invoke openssl or certutil during product setup to configure HTTPS endpoints or import application-specific CA certificates (common with network appliance management software)
Automated infrastructure provisioning tools (Ansible, Chef, Puppet, Terraform provisioners) that execute certificate generation commands as part of idempotent system configuration management playbooks on managed nodes

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| lower_FileName := lower(FileName)
| lower_CommandLine := lower(CommandLine)
| IsCertGenTool := if(lower_FileName = /openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe|certmgr\.exe/, 1, 0)
| IsCertGenArgs := if(IsCertGenTool = 1 and lower_CommandLine = /req -new|x509 -req|genrsa|genpkey|pkcs12 -export|-newkey rsa|-newkey ec|req -x509|-selfsign/, 1, 0)
| IsPSCertCreate := if(lower_FileName = /powershell\.exe|pwsh\.exe/ and lower_CommandLine = /new-selfsignedcertificate|x509certificate2|system\.security\.cryptography\.x509|certificaterequest|rsacryptoserviceprovider|ecdsacng/, 1, 0)
| IsCertUtilImport := if(lower_FileName = /certutil\.exe/ and lower_CommandLine = /-addstore|-addrepo|-mergepfx|-importpfx|-p12|-importcert/, 1, 0)
| TargetsRootStore := if(IsCertUtilImport = 1 and lower_CommandLine = /authroot|trustedpublisher|trustedpeople/, "true", "false")
| where IsCertGenTool = 1 or IsPSCertCreate = 1 or IsCertUtilImport = 1
| SuspicionScore := IsCertGenArgs + IsPSCertCreate + IsCertUtilImport + if(TargetsRootStore = "true", 1, 0)
| DetectionBranch := if(IsCertGenArgs = 1, "CertGenToolWithArgs",
    if(IsPSCertCreate = 1, "PSCertificateCreation",
      if(TargetsRootStore = "true", "RootCertStoreModification",
        if(IsCertUtilImport = 1, "CertUtilImport", "CertGenToolExecution"))))
| select([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch, TargetsRootStore, SuspicionScore])
| sort(_time, order=desc, limit=1000)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Platform CrowdStrike LogScale (formerly Humio) Falcon Sensor process telemetry (ProcessRollup2)

Required Tables

ProcessRollup2

False Positives

Red team or authorized penetration testing engagements where certificate generation tools are part of the assessed technique set — particularly common in T1587 adversary simulation without suppression rules in place for the test scope
Software developers building cryptographic libraries, TLS inspection tools, or security scanning products who invoke openssl with certificate generation arguments during unit test suites on endpoints protected by Falcon
Network device provisioning workflows where an administrator workstation runs pvk2pfx.exe or certutil to convert and import device identity certificates for routers, load balancers, or SSL inspection appliances

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1587.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Digital Certificates

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections