Detect Digital Certificates in Microsoft Sentinel
Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by certificate authorities (CAs) to cryptographically verify the origin of signed content. Certificates used for encrypted web traffic (HTTPS/TLS) contain registered organization details including name, location, and infrastructure hostnames. Threat actors leverage certificate transparency (CT) logs, public databases (crt.sh, Censys, Shodan), and active TLS probing to enumerate an organization's certificate inventory — revealing subdomains, internal hostnames leaked via Subject Alternative Name (SAN) entries, certificate expiry windows for timing attacks, CA relationships, and organizational unit naming conventions. This reconnaissance informs subsequent targeting through subdomain discovery, phishing infrastructure construction mimicking legitimate certificates, and identification of expired or misconfigured certificates as initial access vectors. Because this technique primarily occurs on adversary-controlled infrastructure outside the victim network, detection is constrained to identifying the activity when performed from monitored endpoints (insider threat, post-compromise recon, or authorized red team).
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.003 Digital Certificates
- Canonical reference
- https://attack.mitre.org/techniques/T1596/003/
KQL Detection Query
let CertTransparencyServices = dynamic([
"crt.sh", "censys.io", "shodan.io", "certspotter.com",
"sslshopper.com", "certificatedetails.com", "ct.googleapis.com",
"transparencyreport.google.com", "ctsearch.entrust.com",
"search.censys.io", "api.certspotter.com", "certdb.com",
"ssltools.com", "sslmate.com"
]);
let CertEnumToolNames = dynamic([
"sslyze", "sslscan", "testssl", "tlsx", "certgraph",
"tlsprobe", "zgrab", "zgrab2", "ctfr"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
// Dedicated SSL/TLS certificate enumeration tools
FileName has_any (CertEnumToolNames)
or ProcessCommandLine has_any (CertEnumToolNames)
// curl/wget querying CT log services
or (FileName in~ ("curl.exe", "curl", "wget", "wget.exe")
and ProcessCommandLine has_any (CertTransparencyServices))
// PowerShell querying CT log APIs
or (FileName in~ ("powershell.exe", "pwsh.exe")
and ProcessCommandLine has_any (CertTransparencyServices))
// Python scripts targeting CT services
or (FileName in~ ("python.exe", "python3", "python3.exe", "python")
and ProcessCommandLine has_any (CertTransparencyServices))
// OpenSSL active certificate inspection via s_client
or (FileName in~ ("openssl", "openssl.exe")
and ProcessCommandLine has_any ("s_client", "x509", "-connect", "verify"))
// certutil certificate enumeration operations
or (FileName =~ "certutil.exe"
and ProcessCommandLine has_any ("-dump", "-verify", "-store", "-URL", "-urlcache"))
)
| extend ToolCategory = case(
FileName has_any (CertEnumToolNames) or ProcessCommandLine has_any (CertEnumToolNames), "CertEnumTool",
ProcessCommandLine has_any (CertTransparencyServices), "CTLogQuery",
FileName in~ ("openssl", "openssl.exe"), "OpenSSLProbe",
FileName =~ "certutil.exe", "CertutilEnum",
"Other"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, SHA256, ToolCategory
| sort by Timestamp descDetects certificate reconnaissance activity from monitored endpoints using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies four detection categories: (1) execution of dedicated SSL/TLS enumeration tools (sslyze, sslscan, tlsx, zgrab2, ctfr), (2) curl/wget/PowerShell/Python queries to certificate transparency log services (crt.sh, Censys, Shodan, CertSpotter), (3) OpenSSL s_client probing for active certificate inspection, and (4) certutil operations suggesting certificate enumeration. Low confidence reflects the PRE-attack nature of this technique — the majority of adversary activity occurs outside the victim environment on attacker-controlled infrastructure. This detection is most valuable for catching insider threats, post-compromise reconnaissance from compromised endpoints, or providing context during authorized red team engagements.
Data Sources
Required Tables
False Positives & Tuning
- Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure
- DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates
- Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response
- Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries
- Penetration testers on authorized engagements performing external attack surface mapping that includes certificate reconnaissance
Other platforms for T1596.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Certificate Transparency Log Query via crt.sh API
Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'crt.sh' and wildcard domain query parameter. Sysmon Event ID 3: Outbound network connection from curl process to crt.sh IP on port 443. Sysmon Event ID 22: DNS query for 'crt.sh'. Proxy logs: HTTPS GET request to crt.sh with query string containing target domain.
- Test 2OpenSSL Active Certificate Inspection via s_client
Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 's_client -connect'. Sysmon Event ID 3: Outbound network connection from openssl process to target IP on port 443. Sysmon Event ID 22: DNS query for target hostname. Certificate SAN entries and organization details captured in process standard output.
- Test 3PowerShell Certificate Transparency Enumeration via REST API
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-RestMethod' and 'crt.sh'. Sysmon Event ID 3: Outbound connection from powershell.exe to crt.sh on port 443. Sysmon Event ID 22: DNS query for 'crt.sh'. PowerShell ScriptBlock Log Event ID 4104 recording the full script with target domain.
- Test 4Certutil Local Certificate Store Enumeration
Expected signal: Sysmon Event ID 1: Three sequential Process Create events for certutil.exe with CommandLine containing '-store My', '-store Root', and '-store CA'. Security Event ID 4688 (if command line auditing enabled) recording the certutil invocations. No network connections generated for local store queries. Output reveals internal CA names and certificate subjects.
References (10)
- https://attack.mitre.org/techniques/T1596/003/
- https://crt.sh/
- https://www.sslshopper.com/ssl-checker.html
- https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
- https://certificate.transparency.dev/
- https://github.com/UnaPibaGeek/ctfr
- https://censys.io/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/nabla-c0d3/sslyze
- https://github.com/rbsec/sslscan
Unlock Pro Content
Get the full detection package for T1596.003 including response playbook, investigation guide, and atomic red team tests.