T1587.003 IBM QRadar · QRadar

Detect Digital Certificates in IBM QRadar

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust and include key information, owner identity, and a digital signature from a verifying entity. In the case of self-signing, these certificates lack third-party CA trust but remain functional for encrypting traffic. Adversaries create self-signed certificates to encrypt C2 communications (as seen with APT29/WellMess using mutual TLS authentication), to enable adversary-in-the-middle attacks if installed as a trusted root certificate, or to impersonate legitimate services. PROMETHIUM used self-signed certificates for HTTPS C2, Gamaredon Group reused the same TLS certificate across infrastructure clusters, and Storm-0501 spoofed a 'Microsoft IT TLS CA 5' self-signed certificate. Detection must focus on observable side-effects: certificate generation tool execution on compromised hosts, suspicious certificate store modifications, and network TLS connections bearing anomalous certificate properties.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.003 Digital Certificates
Canonical reference
https://attack.mitre.org/techniques/T1587/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Path" AS process_image,
  "Process CommandLine" AS command_line,
  CASE
    WHEN LOWER("Process Path") LIKE '%openssl%'
         AND (LOWER("Process CommandLine") LIKE '%req -new%'
              OR LOWER("Process CommandLine") LIKE '%x509 -req%'
              OR LOWER("Process CommandLine") LIKE '%genrsa%'
              OR LOWER("Process CommandLine") LIKE '%genpkey%'
              OR LOWER("Process CommandLine") LIKE '%-newkey rsa%'
              OR LOWER("Process CommandLine") LIKE '%-newkey ec%'
              OR LOWER("Process CommandLine") LIKE '%req -x509%'
              OR LOWER("Process CommandLine") LIKE '%-selfsign%')
    THEN 'CertGenToolWithArgs'
    WHEN (LOWER("Process Path") LIKE '%powershell.exe%' OR LOWER("Process Path") LIKE '%pwsh.exe%')
         AND (LOWER("Process CommandLine") LIKE '%new-selfsignedcertificate%'
              OR LOWER("Process CommandLine") LIKE '%x509certificate2%'
              OR LOWER("Process CommandLine") LIKE '%system.security.cryptography.x509%'
              OR LOWER("Process CommandLine") LIKE '%certificaterequest%'
              OR LOWER("Process CommandLine") LIKE '%rsacryptoserviceprovider%'
              OR LOWER("Process CommandLine") LIKE '%ecdsacng%')
    THEN 'PSCertificateCreation'
    WHEN LOWER("Process Path") LIKE '%certutil.exe%'
         AND (LOWER("Process CommandLine") LIKE '%-addstore%'
              OR LOWER("Process CommandLine") LIKE '%-addrepo%'
              OR LOWER("Process CommandLine") LIKE '%-mergepfx%'
              OR LOWER("Process CommandLine") LIKE '%-importpfx%'
              OR LOWER("Process CommandLine") LIKE '%-importcert%')
    THEN 'CertUtilStoreImport'
    WHEN LOWER("Process Path") LIKE '%makecert.exe%'
         OR LOWER("Process Path") LIKE '%pvk2pfx.exe%'
    THEN 'CertGenToolExecution'
    ELSE 'SuspiciousCertOperation'
  END AS detection_branch,
  CASE
    WHEN LOWER("Process CommandLine") LIKE '%authroot%'
         OR LOWER("Process CommandLine") LIKE '%trustedpublisher%'
         OR LOWER("Process CommandLine") LIKE '%trustedpeople%'
    THEN 'true'
    ELSE 'false'
  END AS targets_root_store
FROM events
WHERE LOGSOURCETIME > NOW() - 1 DAYS
  AND (
    LOWER("Process Path") LIKE '%openssl%'
    OR LOWER("Process Path") LIKE '%makecert.exe%'
    OR LOWER("Process Path") LIKE '%pvk2pfx.exe%'
    OR LOWER("Process Path") LIKE '%certmgr.exe%'
    OR (
      (LOWER("Process Path") LIKE '%powershell.exe%' OR LOWER("Process Path") LIKE '%pwsh.exe%')
      AND (
        LOWER("Process CommandLine") LIKE '%new-selfsignedcertificate%'
        OR LOWER("Process CommandLine") LIKE '%x509certificate2%'
        OR LOWER("Process CommandLine") LIKE '%certificaterequest%'
        OR LOWER("Process CommandLine") LIKE '%rsacryptoserviceprovider%'
        OR LOWER("Process CommandLine") LIKE '%ecdsacng%'
      )
    )
    OR (
      LOWER("Process Path") LIKE '%certutil.exe%'
      AND (
        LOWER("Process CommandLine") LIKE '%-addstore%'
        OR LOWER("Process CommandLine") LIKE '%-mergepfx%'
        OR LOWER("Process CommandLine") LIKE '%-importpfx%'
        OR LOWER("Process CommandLine") LIKE '%-importcert%'
      )
    )
  )
ORDER BY starttime DESC
LAST 1 DAYS
high severity medium confidence

QRadar AQL detection for self-signed certificate generation and store manipulation using Windows process event data normalized via the Microsoft Windows or Sysmon DSM. Relies on 'Process Path' and 'Process CommandLine' custom properties mapped from Windows Security Event ID 4688 or Sysmon Event ID 1. Branches cover openssl/makecert execution with certificate generation arguments, PowerShell .NET cryptographic API invocations, and certutil certificate store import operations with root-store targeting detection.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSM (Event ID 4688)Sysmon for Windows DSM (Event ID 1)

Required Tables

events

False Positives & Tuning

  • Authorized IT administrators running certutil to import corporate CA root certificates during domain computer provisioning or group policy certificate distribution — especially common in managed enterprise environments
  • CI/CD build agents (Jenkins, Azure DevOps, TeamCity, GitHub Actions self-hosted runners) that invoke openssl or New-SelfSignedCertificate during test environment certificate provisioning on build servers
  • Third-party remote monitoring and management (RMM) platforms such as ConnectWise Automate or Datto RMM that use certutil internally to deploy endpoint certificates as part of managed service operations
Download portable Sigma rule (.yml)

Other platforms for T1587.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Self-Signed Certificate with PowerShell New-SelfSignedCertificate

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and the DnsName value. Sysmon Event ID 11: File Create event for df00tech-test-cert.pfx in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 capturing the full certificate creation and export script. Registry Event ID 12/13 for the temporary certificate store entry under HKCU\SOFTWARE\Microsoft\SystemCertificates\My.

  2. Test 2Generate Self-Signed Certificate with OpenSSL

    Expected signal: Sysmon Event ID 1: Two Process Create events — first for 'openssl req -x509' with -subj containing the spoofed Microsoft subject, second for 'openssl pkcs12 -export'. Sysmon Event IDs 11: File Create events for .key, .crt, and .pfx files in %TEMP%. The -subj value '/CN=Microsoft IT TLS CA 5' directly matches the Storm-0501 technique documented in ATT&CK.

  3. Test 3Import Self-Signed Certificate to Root Certificate Store

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with CommandLine '-addstore Root' and the .cer file path. Sysmon Event ID 12/13: Registry key creation under HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\<thumbprint>. Sysmon Event ID 11: File Create for the .cer export in %TEMP%. Security Event ID 4657 (if object access auditing enabled) for the registry write to the certificate store.

  4. Test 4Certificate Generation via OpenSSL on Linux

    Expected signal: Linux auditd execve syscall records for each openssl invocation with full argument list. Syslog process execution entries for openssl. File creation events in /tmp for .pem and .pfx files. If Sysmon for Linux is deployed: Event ID 1 (Process Create) with Image=/usr/bin/openssl and full CommandLine capture including the spoofed -subj value.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1587.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.002Code Signing CertificatesT1587.004Exploits

Related Techniques

T1587Develop CapabilitiesT1588.004Digital CertificatesT1608.003Install Digital CertificateT1553.004Install Root CertificateT1557Adversary-in-the-MiddleT1573.002Asymmetric CryptographyT1071.001Web ProtocolsT1583.003Virtual Private ServerT1584Compromise InfrastructureT1102Web Service

Same Tactic: Resource Development

Popular Detections