T1608.003 Install Digital Certificate Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1608.003 — Install Digital Certificate
// Detects suspicious TLS certificate properties via proxy/NGFW TLS inspection (CommonSecurityLog)
// Requires: TLS/SSL inspection enabled on NGFW or forward proxy
let LookbackPeriod = 24h;
let WeakCNValues = dynamic(["localhost", "example.com", "test", "temp", "staging-", "*.invalid", "default"]);
// Analyze TLS certificate properties in NGFW/proxy logs
CommonSecurityLog
| where TimeGenerated > ago(LookbackPeriod)
| where DeviceAction !in~ ("deny", "block", "drop", "reset", "reset-both", "Reset-Server", "Reset-Client")
| where DestinationPort in (443, 8443, 4443, 10443)
// Extract TLS fields — naming varies by vendor (Palo Alto, Check Point, Fortinet, Cisco)
| extend TLSSubject = coalesce(
    extract(@"(?i)ssl-subject=([^;|\r\n]+)", 1, AdditionalExtensions),
    extract(@"(?i)cn=([^,/;|\r\n]+)", 1, AdditionalExtensions),
    DeviceCustomString3
)
| extend TLSIssuer = coalesce(
    extract(@"(?i)ssl-issuer=([^;|\r\n]+)", 1, AdditionalExtensions),
    extract(@"(?i)issuer-cn=([^,/;|\r\n]+)", 1, AdditionalExtensions),
    DeviceCustomString4
)
| where isnotempty(TLSSubject) or isnotempty(TLSIssuer)
// Indicator 1: Self-signed certificate — issuer equals subject, highest adversary infra signal
| extend IsSelfSigned = isnotempty(TLSSubject) and isnotempty(TLSIssuer) and (TLSSubject =~ TLSIssuer)
// Indicator 2: Certificate CN does not match destination hostname — certificate reuse or misconfigured stolen cert
| extend IsHostnameMismatch = isnotempty(DestinationHostName) and isnotempty(TLSSubject)
    and not(DestinationHostName endswith replace_regex(TLSSubject, @"(?i)^cn=\*?\.", ""))
    and not(TLSSubject has DestinationHostName)
// Indicator 3: Generic or placeholder certificate CN — quickly generated adversary certs
| extend HasWeakCN = TLSSubject has_any (WeakCNValues)
// Score: self-signed highest risk (3), mismatch and weak CN moderate (2 each)
| extend CertRiskScore = toint(IsSelfSigned) * 3 + toint(IsHostnameMismatch) * 2 + toint(HasWeakCN) * 2
| where CertRiskScore > 1
| extend RiskLevel = case(
    CertRiskScore >= 5, "High",
    CertRiskScore >= 3, "Medium",
    "Low"
)
| project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, DestinationPort,
         TLSSubject, TLSIssuer,
         IsSelfSigned, IsHostnameMismatch, HasWeakCN,
         CertRiskScore, RiskLevel, DeviceVendor, DeviceAction
| sort by CertRiskScore desc, TimeGenerated desc

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Application Log: Application Log Content

Required Tables

CommonSecurityLog

False Positives

Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname

Splunk

spl

index=network (sourcetype="stream:ssl" OR sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="fortigate_traffic")
  NOT (action="denied" OR action="blocked" OR action="dropped")
| where dest_port IN (443, 8443, 4443)
| eval ssl_subject=coalesce(ssl_subject, ssl_cn, tls_cert_subject, ssl_certificate_subject)
| eval ssl_issuer=coalesce(ssl_issuer, tls_cert_issuer, ssl_cert_issuer, ssl_certificate_issuer)
| where isnotnull(ssl_subject) OR isnotnull(ssl_issuer)
| eval ssl_subject_lower=lower(coalesce(ssl_subject, ""))
| eval ssl_issuer_lower=lower(coalesce(ssl_issuer, ""))
| eval dest_host_lower=lower(coalesce(dest_host, ""))
| eval SelfSignedScore=if(isnotnull(ssl_subject) AND isnotnull(ssl_issuer) AND ssl_subject==ssl_issuer, 3, 0)
| eval WeakCNScore=if(match(ssl_subject_lower, "(localhost|example\.com|\btest\b|\btemp\b|staging-|\.invalid|\bdefault\b)"), 2, 0)
| eval cn_value=replace(replace(ssl_subject_lower, "cn=\*\.", ""), "cn=", "")
| eval MismatchScore=if(len(dest_host_lower)>0 AND len(cn_value)>0 AND NOT like(dest_host_lower, "%".cn_value), 2, 0)
| eval CertRiskScore=SelfSignedScore + WeakCNScore + MismatchScore
| where CertRiskScore > 1
| eval CertRiskLevel=case(CertRiskScore>=5, "High", CertRiskScore>=3, "Medium", 1==1, "Low")
| table _time, src_ip, dest_ip, dest_host, dest_port, ssl_subject, ssl_issuer, SelfSignedScore, WeakCNScore, MismatchScore, CertRiskScore, CertRiskLevel
| sort - CertRiskScore, - _time

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow

Required Sourcetypes

stream:ssl pan:traffic cisco:asa fortigate_traffic

False Positives

Internal test and development servers using self-signed certificates for non-production services accessed via the corporate proxy
Legacy applications with certificate subjects that no longer match current hostnames after infrastructure changes
Internal CAs whose root certificates are not registered in the monitoring platform, causing their issued certificates to appear self-signed
CDN or load balancer configurations presenting wildcard certificates where the CN wildcard does not exactly match the specific subdomain
Security tools and network monitoring appliances performing their own TLS inspection and presenting self-signed interception certificates

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

medium severity low confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity low confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

medium severity low confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

medium severity low confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname

Install Digital Certificate

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections