T1608.003 Microsoft Sentinel · KQL

Detect Install Digital Certificate in Microsoft Sentinel

Adversaries may install SSL/TLS certificates on infrastructure they control — whether acquired or compromised — to encrypt command-and-control traffic, lend credibility to credential harvesting sites, or enable adversary-in-the-middle operations. Certificate installation occurs entirely on adversary infrastructure and produces no telemetry within the victim environment. Sea Turtle (G1041) exemplifies this technique by capturing legitimate SSL certificates from victim organizations and installing them on attacker-controlled servers to conduct adversary-in-the-middle attacks against DNS infrastructure. Detection must rely on downstream signals: TLS certificate anomalies observed when victim systems connect to adversary infrastructure via proxy or NGFW TLS inspection, email security alerts for HTTPS phishing URLs, and certificate transparency (CT) log monitoring for adversary-registered domains.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1608 Stage Capabilities
Sub-technique
T1608.003 Install Digital Certificate
Canonical reference
https://attack.mitre.org/techniques/T1608/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1608.003 — Install Digital Certificate
// Detects suspicious TLS certificate properties via proxy/NGFW TLS inspection (CommonSecurityLog)
// Requires: TLS/SSL inspection enabled on NGFW or forward proxy
let LookbackPeriod = 24h;
let WeakCNValues = dynamic(["localhost", "example.com", "test", "temp", "staging-", "*.invalid", "default"]);
// Analyze TLS certificate properties in NGFW/proxy logs
CommonSecurityLog
| where TimeGenerated > ago(LookbackPeriod)
| where DeviceAction !in~ ("deny", "block", "drop", "reset", "reset-both", "Reset-Server", "Reset-Client")
| where DestinationPort in (443, 8443, 4443, 10443)
// Extract TLS fields — naming varies by vendor (Palo Alto, Check Point, Fortinet, Cisco)
| extend TLSSubject = coalesce(
    extract(@"(?i)ssl-subject=([^;|\r\n]+)", 1, AdditionalExtensions),
    extract(@"(?i)cn=([^,/;|\r\n]+)", 1, AdditionalExtensions),
    DeviceCustomString3
)
| extend TLSIssuer = coalesce(
    extract(@"(?i)ssl-issuer=([^;|\r\n]+)", 1, AdditionalExtensions),
    extract(@"(?i)issuer-cn=([^,/;|\r\n]+)", 1, AdditionalExtensions),
    DeviceCustomString4
)
| where isnotempty(TLSSubject) or isnotempty(TLSIssuer)
// Indicator 1: Self-signed certificate — issuer equals subject, highest adversary infra signal
| extend IsSelfSigned = isnotempty(TLSSubject) and isnotempty(TLSIssuer) and (TLSSubject =~ TLSIssuer)
// Indicator 2: Certificate CN does not match destination hostname — certificate reuse or misconfigured stolen cert
| extend IsHostnameMismatch = isnotempty(DestinationHostName) and isnotempty(TLSSubject)
    and not(DestinationHostName endswith replace_regex(TLSSubject, @"(?i)^cn=\*?\.", ""))
    and not(TLSSubject has DestinationHostName)
// Indicator 3: Generic or placeholder certificate CN — quickly generated adversary certs
| extend HasWeakCN = TLSSubject has_any (WeakCNValues)
// Score: self-signed highest risk (3), mismatch and weak CN moderate (2 each)
| extend CertRiskScore = toint(IsSelfSigned) * 3 + toint(IsHostnameMismatch) * 2 + toint(HasWeakCN) * 2
| where CertRiskScore > 1
| extend RiskLevel = case(
    CertRiskScore >= 5, "High",
    CertRiskScore >= 3, "Medium",
    "Low"
)
| project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, DestinationPort,
         TLSSubject, TLSIssuer,
         IsSelfSigned, IsHostnameMismatch, HasWeakCN,
         CertRiskScore, RiskLevel, DeviceVendor, DeviceAction
| sort by CertRiskScore desc, TimeGenerated desc
medium severity low confidence

Detects suspicious TLS certificate properties in outbound HTTPS connections using proxy and NGFW logs ingested via CommonSecurityLog. Scores three certificate anomaly indicators: self-signed certificates (issuer matches subject — 3 points, highest risk), hostname mismatches between certificate CN and destination hostname (2 points, indicating reused or stolen certificates), and generic or placeholder certificate subjects (2 points, indicating hastily-generated adversary infrastructure). Only events scoring above 1 are surfaced. Requires TLS inspection (SSL decryption) to be enabled on the network security device feeding CommonSecurityLog.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowApplication Log: Application Log Content

Required Tables

CommonSecurityLog

False Positives & Tuning

  • Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy
  • Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
  • Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed
  • CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed
  • VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname
Download portable Sigma rule (.yml)

Other platforms for T1608.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Generate and Install Self-Signed TLS Certificate on Nginx (Linux)

    Expected signal: Linux auditd: execve syscall for /usr/bin/openssl with arguments 'req', '-x509', '-newkey', '-subj'. Syslog: process creation entry for openssl invocation. File system: file creation events for /tmp/adversary-cert.pem and /tmp/adversary-key.pem (auditd OPEN+WRITE syscalls if -w /tmp -p wa rule is active). No network events during generation; network events occur when the cert is later served to connecting clients.

  2. Test 2Obtain Free TLS Certificate via certbot Dry Run (Let's Encrypt ACME)

    Expected signal: Process creation events for 'certbot' with 'certonly --standalone --dry-run' arguments (auditd execve, Sysmon EventID 1 on Linux). Outbound TCP connections to Let's Encrypt ACME staging servers (acme-staging-v02.api.letsencrypt.org, port 443) and to port 80 on the local machine for HTTP-01 challenge validation. Socket binding event for port 80 (standalone mode binds to :80 to serve challenge). If auditd has -a network rules, connection events to Let's Encrypt IP ranges (66.133.109.0/24).

  3. Test 3Install Self-Signed Certificate on Windows IIS via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'New-SelfSignedCertificate' and 'DnsName' in CommandLine. PowerShell ScriptBlock Logging Event ID 4104 with full certificate creation command. Windows Security Event ID 4886 (Certificate Services received a certificate request) if Certificate Services is running. Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational log Event ID 1006 (Certificate enrolled) for the new certificate. Registry modification to HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\<thumbprint>.

  4. Test 4Extract Certificate from Live Site (Sea Turtle Capture TTP)

    Expected signal: Sysmon Event ID 3 (Linux via Sysmon for Linux) or auditd network connection event: outbound TCP to example.com:443 from openssl process. Process creation events for 'openssl s_client' with '-connect' argument. File creation event for /tmp/captured-cert.pem. If base64 encoding and file write occur, additional file creation event for the encoded output. Auditd rule 'auditctl -a exit,always -F arch=b64 -S execve -F exe=/usr/bin/openssl -k openssl_tls_connect' captures the connection.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1608.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1608Stage Capabilities

Related Sub-techniques

T1608.001Upload MalwareT1608.002Upload ToolT1608.004Drive-by TargetT1608.005Link TargetT1608.006SEO Poisoning

Related Techniques

T1608Stage CapabilitiesT1587.003Digital CertificatesT1588.004Digital CertificatesT1583Acquire InfrastructureT1584Compromise InfrastructureT1071.001Web ProtocolsT1573.002Asymmetric CryptographyT1557Adversary-in-the-MiddleT1566.002Spearphishing Link

Same Tactic: Resource Development

Popular Detections