T1596.003 Splunk · SPL

Detect Digital Certificates in Splunk

Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by certificate authorities (CAs) to cryptographically verify the origin of signed content. Certificates used for encrypted web traffic (HTTPS/TLS) contain registered organization details including name, location, and infrastructure hostnames. Threat actors leverage certificate transparency (CT) logs, public databases (crt.sh, Censys, Shodan), and active TLS probing to enumerate an organization's certificate inventory — revealing subdomains, internal hostnames leaked via Subject Alternative Name (SAN) entries, certificate expiry windows for timing attacks, CA relationships, and organizational unit naming conventions. This reconnaissance informs subsequent targeting through subdomain discovery, phishing infrastructure construction mimicking legitimate certificates, and identification of expired or misconfigured certificates as initial access vectors. Because this technique primarily occurs on adversary-controlled infrastructure outside the victim network, detection is constrained to identifying the activity when performed from monitored endpoints (insider threat, post-compromise recon, or authorized red team).

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1596 Search Open Technical Databases
Sub-technique
T1596.003 Digital Certificates
Canonical reference
https://attack.mitre.org/techniques/T1596/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd=lower(CommandLine)
| eval img=lower(Image)
| eval CertEnumTool=if(
    match(img, "(sslyze|sslscan|testssl|tlsx|certgraph|tlsprobe|zgrab|ctfr)")
    OR match(cmd, "(sslyze|sslscan|testssl|tlsx|certgraph|zgrab2|ctfr)"),
    1, 0)
| eval CTLogQuery=if(
    match(cmd, "(crt\.sh|censys\.io|shodan\.io|certspotter\.com|sslshopper\.com|ct\.googleapis\.com|certdb\.com|sslmate\.com|ctsearch\.entrust\.com)"),
    1, 0)
| eval OpenSSLProbe=if(
    match(img, "openssl") AND match(cmd, "(s_client|x509|-connect|verify)"),
    1, 0)
| eval CertutilEnum=if(
    match(img, "certutil\.exe") AND match(cmd, "(-dump|-verify|-store|-url|-urlcache)"),
    1, 0)
| eval CurlCTQuery=if(
    match(img, "(curl|wget)") AND match(cmd, "(crt\.sh|censys|certspotter|shodan)"),
    1, 0)
| eval SuspicionScore=CertEnumTool + CTLogQuery + OpenSSLProbe + CertutilEnum + CurlCTQuery
| where SuspicionScore > 0
| eval DetectionCategory=case(
    CertEnumTool=1, "CertEnumTool",
    CTLogQuery=1, "CTLogQuery",
    OpenSSLProbe=1, "OpenSSLProbe",
    CertutilEnum=1, "CertutilEnum",
    CurlCTQuery=1, "CurlCTQuery",
    true(), "Other"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        CertEnumTool, CTLogQuery, OpenSSLProbe, CertutilEnum, CurlCTQuery,
        SuspicionScore, DetectionCategory
| sort - _time
medium severity low confidence

Detects certificate reconnaissance activity using Sysmon Event ID 1 (Process Create). Evaluates process image names and command lines across five detection categories: dedicated SSL enumeration tools, certificate transparency log service queries, OpenSSL active probing, certutil enumeration, and curl/wget querying CT databases. Assigns a suspicion score for analyst prioritization. Low confidence reflects the PRE-attack nature of this technique — most adversary activity occurs outside victim infrastructure, making endpoint detection a secondary signal applicable to insider threats, post-compromise recon, or authorized penetration tests.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Security team running TLS vulnerability assessments using sslyze or sslscan against internal or external infrastructure
  • DevSecOps certificate monitoring pipelines querying crt.sh or CertSpotter APIs to track the organization's certificate inventory
  • Network engineers using openssl s_client for TLS debugging, cipher negotiation testing, or certificate chain validation
  • Automated certificate renewal tools (Certbot, ACME clients) performing certificate transparency or CA verification checks
  • Authorized penetration testers performing external attack surface mapping including certificate reconnaissance
Download portable Sigma rule (.yml)

Other platforms for T1596.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Certificate Transparency Log Query via crt.sh API

    Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'crt.sh' and wildcard domain query parameter. Sysmon Event ID 3: Outbound network connection from curl process to crt.sh IP on port 443. Sysmon Event ID 22: DNS query for 'crt.sh'. Proxy logs: HTTPS GET request to crt.sh with query string containing target domain.

  2. Test 2OpenSSL Active Certificate Inspection via s_client

    Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 's_client -connect'. Sysmon Event ID 3: Outbound network connection from openssl process to target IP on port 443. Sysmon Event ID 22: DNS query for target hostname. Certificate SAN entries and organization details captured in process standard output.

  3. Test 3PowerShell Certificate Transparency Enumeration via REST API

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-RestMethod' and 'crt.sh'. Sysmon Event ID 3: Outbound connection from powershell.exe to crt.sh on port 443. Sysmon Event ID 22: DNS query for 'crt.sh'. PowerShell ScriptBlock Log Event ID 4104 recording the full script with target domain.

  4. Test 4Certutil Local Certificate Store Enumeration

    Expected signal: Sysmon Event ID 1: Three sequential Process Create events for certutil.exe with CommandLine containing '-store My', '-store Root', and '-store CA'. Security Event ID 4688 (if command line auditing enabled) recording the certutil invocations. No network connections generated for local store queries. Output reveals internal CA names and certificate subjects.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1596.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1596Search Open Technical Databases

Related Sub-techniques

T1596.001DNS/Passive DNST1596.002WHOIST1596.004CDNsT1596.005Scan Databases

Related Techniques

T1596Search Open Technical DatabasesT1596.001DNS/Passive DNST1596.002WHOIST1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1598.003Spearphishing LinkT1587.003Digital CertificatesT1588.004Digital CertificatesT1608.003Install Digital Certificate

Same Tactic: Reconnaissance

Popular Detections