Detect Digital Certificates in CrowdStrike LogScale
Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust and include key information, owner identity, and a digital signature from a verifying entity. In the case of self-signing, these certificates lack third-party CA trust but remain functional for encrypting traffic. Adversaries create self-signed certificates to encrypt C2 communications (as seen with APT29/WellMess using mutual TLS authentication), to enable adversary-in-the-middle attacks if installed as a trusted root certificate, or to impersonate legitimate services. PROMETHIUM used self-signed certificates for HTTPS C2, Gamaredon Group reused the same TLS certificate across infrastructure clusters, and Storm-0501 spoofed a 'Microsoft IT TLS CA 5' self-signed certificate. Detection must focus on observable side-effects: certificate generation tool execution on compromised hosts, suspicious certificate store modifications, and network TLS connections bearing anomalous certificate properties.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.003 Digital Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1587/003/
LogScale Detection Query
#event_simpleName = ProcessRollup2
| lower_FileName := lower(FileName)
| lower_CommandLine := lower(CommandLine)
| IsCertGenTool := if(lower_FileName = /openssl(\.exe)?|makecert\.exe|pvk2pfx\.exe|certmgr\.exe/, 1, 0)
| IsCertGenArgs := if(IsCertGenTool = 1 and lower_CommandLine = /req -new|x509 -req|genrsa|genpkey|pkcs12 -export|-newkey rsa|-newkey ec|req -x509|-selfsign/, 1, 0)
| IsPSCertCreate := if(lower_FileName = /powershell\.exe|pwsh\.exe/ and lower_CommandLine = /new-selfsignedcertificate|x509certificate2|system\.security\.cryptography\.x509|certificaterequest|rsacryptoserviceprovider|ecdsacng/, 1, 0)
| IsCertUtilImport := if(lower_FileName = /certutil\.exe/ and lower_CommandLine = /-addstore|-addrepo|-mergepfx|-importpfx|-p12|-importcert/, 1, 0)
| TargetsRootStore := if(IsCertUtilImport = 1 and lower_CommandLine = /authroot|trustedpublisher|trustedpeople/, "true", "false")
| where IsCertGenTool = 1 or IsPSCertCreate = 1 or IsCertUtilImport = 1
| SuspicionScore := IsCertGenArgs + IsPSCertCreate + IsCertUtilImport + if(TargetsRootStore = "true", 1, 0)
| DetectionBranch := if(IsCertGenArgs = 1, "CertGenToolWithArgs",
if(IsPSCertCreate = 1, "PSCertificateCreation",
if(TargetsRootStore = "true", "RootCertStoreModification",
if(IsCertUtilImport = 1, "CertUtilImport", "CertGenToolExecution"))))
| select([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch, TargetsRootStore, SuspicionScore])
| sort(_time, order=desc, limit=1000)CrowdStrike LogScale (Humio) detection using ProcessRollup2 Falcon sensor telemetry events. Identifies self-signed certificate creation via: (1) openssl/makecert/pvk2pfx execution with certificate generation argument signatures, (2) PowerShell .NET cryptographic certificate API invocations including New-SelfSignedCertificate and X509Certificate2 class instantiation, (3) certutil certificate store import operations. Includes suspicion scoring aligned to the SPL reference query and detection branch classification for analyst triage prioritization. TargetsRootStore flag elevates priority for certutil operations touching AuthRoot or TrustedPublisher stores.
Data Sources
Required Tables
False Positives & Tuning
- Red team or authorized penetration testing engagements where certificate generation tools are part of the assessed technique set — particularly common in T1587 adversary simulation without suppression rules in place for the test scope
- Software developers building cryptographic libraries, TLS inspection tools, or security scanning products who invoke openssl with certificate generation arguments during unit test suites on endpoints protected by Falcon
- Network device provisioning workflows where an administrator workstation runs pvk2pfx.exe or certutil to convert and import device identity certificates for routers, load balancers, or SSL inspection appliances
Other platforms for T1587.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Self-Signed Certificate with PowerShell New-SelfSignedCertificate
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and the DnsName value. Sysmon Event ID 11: File Create event for df00tech-test-cert.pfx in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 capturing the full certificate creation and export script. Registry Event ID 12/13 for the temporary certificate store entry under HKCU\SOFTWARE\Microsoft\SystemCertificates\My.
- Test 2Generate Self-Signed Certificate with OpenSSL
Expected signal: Sysmon Event ID 1: Two Process Create events — first for 'openssl req -x509' with -subj containing the spoofed Microsoft subject, second for 'openssl pkcs12 -export'. Sysmon Event IDs 11: File Create events for .key, .crt, and .pfx files in %TEMP%. The -subj value '/CN=Microsoft IT TLS CA 5' directly matches the Storm-0501 technique documented in ATT&CK.
- Test 3Import Self-Signed Certificate to Root Certificate Store
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with CommandLine '-addstore Root' and the .cer file path. Sysmon Event ID 12/13: Registry key creation under HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Sysmon Event ID 11: File Create for the .cer export in %TEMP%. Security Event ID 4657 (if object access auditing enabled) for the registry write to the certificate store.
- Test 4Certificate Generation via OpenSSL on Linux
Expected signal: Linux auditd execve syscall records for each openssl invocation with full argument list. Syslog process execution entries for openssl. File creation events in /tmp for .pem and .pfx files. If Sysmon for Linux is deployed: Event ID 1 (Process Create) with Image=/usr/bin/openssl and full CommandLine capture including the spoofed -subj value.
References (10)
- https://attack.mitre.org/techniques/T1587/003/
- https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
- https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
- https://www.mandiant.com/resources/blog/storm-0501-ransomware
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.003/T1587.003.md
Unlock Pro Content
Get the full detection package for T1587.003 including response playbook, investigation guide, and atomic red team tests.