T1596.003 Digital Certificates Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CertTransparencyServices = dynamic([
    "crt.sh", "censys.io", "shodan.io", "certspotter.com",
    "sslshopper.com", "certificatedetails.com", "ct.googleapis.com",
    "transparencyreport.google.com", "ctsearch.entrust.com",
    "search.censys.io", "api.certspotter.com", "certdb.com",
    "ssltools.com", "sslmate.com"
]);
let CertEnumToolNames = dynamic([
    "sslyze", "sslscan", "testssl", "tlsx", "certgraph",
    "tlsprobe", "zgrab", "zgrab2", "ctfr"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Dedicated SSL/TLS certificate enumeration tools
    FileName has_any (CertEnumToolNames)
    or ProcessCommandLine has_any (CertEnumToolNames)
    // curl/wget querying CT log services
    or (FileName in~ ("curl.exe", "curl", "wget", "wget.exe")
        and ProcessCommandLine has_any (CertTransparencyServices))
    // PowerShell querying CT log APIs
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any (CertTransparencyServices))
    // Python scripts targeting CT services
    or (FileName in~ ("python.exe", "python3", "python3.exe", "python")
        and ProcessCommandLine has_any (CertTransparencyServices))
    // OpenSSL active certificate inspection via s_client
    or (FileName in~ ("openssl", "openssl.exe")
        and ProcessCommandLine has_any ("s_client", "x509", "-connect", "verify"))
    // certutil certificate enumeration operations
    or (FileName =~ "certutil.exe"
        and ProcessCommandLine has_any ("-dump", "-verify", "-store", "-URL", "-urlcache"))
)
| extend ToolCategory = case(
    FileName has_any (CertEnumToolNames) or ProcessCommandLine has_any (CertEnumToolNames), "CertEnumTool",
    ProcessCommandLine has_any (CertTransparencyServices), "CTLogQuery",
    FileName in~ ("openssl", "openssl.exe"), "OpenSSLProbe",
    FileName =~ "certutil.exe", "CertutilEnum",
    "Other"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          FolderPath, SHA256, ToolCategory
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries
Penetration testers on authorized engagements performing external attack surface mapping that includes certificate reconnaissance

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd=lower(CommandLine)
| eval img=lower(Image)
| eval CertEnumTool=if(
    match(img, "(sslyze|sslscan|testssl|tlsx|certgraph|tlsprobe|zgrab|ctfr)")
    OR match(cmd, "(sslyze|sslscan|testssl|tlsx|certgraph|zgrab2|ctfr)"),
    1, 0)
| eval CTLogQuery=if(
    match(cmd, "(crt\.sh|censys\.io|shodan\.io|certspotter\.com|sslshopper\.com|ct\.googleapis\.com|certdb\.com|sslmate\.com|ctsearch\.entrust\.com)"),
    1, 0)
| eval OpenSSLProbe=if(
    match(img, "openssl") AND match(cmd, "(s_client|x509|-connect|verify)"),
    1, 0)
| eval CertutilEnum=if(
    match(img, "certutil\.exe") AND match(cmd, "(-dump|-verify|-store|-url|-urlcache)"),
    1, 0)
| eval CurlCTQuery=if(
    match(img, "(curl|wget)") AND match(cmd, "(crt\.sh|censys|certspotter|shodan)"),
    1, 0)
| eval SuspicionScore=CertEnumTool + CTLogQuery + OpenSSLProbe + CertutilEnum + CurlCTQuery
| where SuspicionScore > 0
| eval DetectionCategory=case(
    CertEnumTool=1, "CertEnumTool",
    CTLogQuery=1, "CTLogQuery",
    OpenSSLProbe=1, "OpenSSLProbe",
    CertutilEnum=1, "CertutilEnum",
    CurlCTQuery=1, "CurlCTQuery",
    true(), "Other"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        CertEnumTool, CTLogQuery, OpenSSLProbe, CertutilEnum, CurlCTQuery,
        SuspicionScore, DetectionCategory
| sort - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security team running TLS vulnerability assessments using sslyze or sslscan against internal or external infrastructure
DevSecOps certificate monitoring pipelines querying crt.sh or CertSpotter APIs to track the organization's certificate inventory
Network engineers using openssl s_client for TLS debugging, cipher negotiation testing, or certificate chain validation
Automated certificate renewal tools (Certbot, ACME clients) performing certificate transparency or CA verification checks
Authorized penetration testers performing external attack surface mapping including certificate reconnaissance

Elastic Security (EQL)

eql

// T1596.003 — Digital Certificates Recon
any where event.dataset : "network_traffic.http"
  and (url.domain : ("crt.sh", "censys.io", "shodan.io", "certspotter.com",
    "ct.googleapis.com", "transparencyreport.google.com")
  or http.request.body.content : ("*commonName*", "*subjectAltName*", "*certificate*"))

medium severity low confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("destinationhostname") ILIKE '%crt.sh%' OR LOWER("destinationhostname") ILIKE '%censys.io%' OR LOWER("destinationhostname") ILIKE '%shodan.io%' OR LOWER("destinationhostname") ILIKE '%certspotter.com%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("destinationhostname") ILIKE '%crt.sh%' OR LOWER("destinationhostname") ILIKE '%censys.io%' OR LOWER("destinationhostname") ILIKE '%shodan.io%' OR LOWER("destinationhostname") ILIKE '%certspotter.com%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries

Google Chronicle / SecOps

yaral

rule t1596_003_digital_certificates {
  meta:
    author = "df00tech"
    description = "Detects Digital Certificates (T1596.003)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1596.003"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1596.003 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1596.003 - OSINTTool";
    * => TechniqueLabel := "T1596.003 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries

Digital Certificates

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections