Detect Digital Certificates in CrowdStrike LogScale
Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by certificate authorities (CAs) to cryptographically verify the origin of signed content. Certificates used for encrypted web traffic (HTTPS/TLS) contain registered organization details including name, location, and infrastructure hostnames. Threat actors leverage certificate transparency (CT) logs, public databases (crt.sh, Censys, Shodan), and active TLS probing to enumerate an organization's certificate inventory — revealing subdomains, internal hostnames leaked via Subject Alternative Name (SAN) entries, certificate expiry windows for timing attacks, CA relationships, and organizational unit naming conventions. This reconnaissance informs subsequent targeting through subdomain discovery, phishing infrastructure construction mimicking legitimate certificates, and identification of expired or misconfigured certificates as initial access vectors. Because this technique primarily occurs on adversary-controlled infrastructure outside the victim network, detection is constrained to identifying the activity when performed from monitored endpoints (insider threat, post-compromise recon, or authorized red team).
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.003 Digital Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1596/003/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1596.003 - FirmwareEnum";
CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1596.003 - OSINTTool";
* => TechniqueLabel := "T1596.003 - Reconnaissance"
}
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])CrowdStrike LogScale (Falcon) CQL detection for Digital Certificates (T1596.003). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.
Data Sources
Required Tables
False Positives & Tuning
- Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
- DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
- Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
- Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries
Other platforms for T1596.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Certificate Transparency Log Query via crt.sh API
Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'crt.sh' and wildcard domain query parameter. Sysmon Event ID 3: Outbound network connection from curl process to crt.sh IP on port 443. Sysmon Event ID 22: DNS query for 'crt.sh'. Proxy logs: HTTPS GET request to crt.sh with query string containing target domain.
- Test 2OpenSSL Active Certificate Inspection via s_client
Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 's_client -connect'. Sysmon Event ID 3: Outbound network connection from openssl process to target IP on port 443. Sysmon Event ID 22: DNS query for target hostname. Certificate SAN entries and organization details captured in process standard output.
- Test 3PowerShell Certificate Transparency Enumeration via REST API
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-RestMethod' and 'crt.sh'. Sysmon Event ID 3: Outbound connection from powershell.exe to crt.sh on port 443. Sysmon Event ID 22: DNS query for 'crt.sh'. PowerShell ScriptBlock Log Event ID 4104 recording the full script with target domain.
- Test 4Certutil Local Certificate Store Enumeration
Expected signal: Sysmon Event ID 1: Three sequential Process Create events for certutil.exe with CommandLine containing '-store My', '-store Root', and '-store CA'. Security Event ID 4688 (if command line auditing enabled) recording the certutil invocations. No network connections generated for local store queries. Output reveals internal CA names and certificate subjects.
References (10)
- https://attack.mitre.org/techniques/T1596/003/
- https://crt.sh/
- https://www.sslshopper.com/ssl-checker.html
- https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
- https://certificate.transparency.dev/
- https://github.com/UnaPibaGeek/ctfr
- https://censys.io/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/nabla-c0d3/sslyze
- https://github.com/rbsec/sslscan
Unlock Pro Content
Get the full detection package for T1596.003 including response playbook, investigation guide, and atomic red team tests.