title: Digital Certificates (T1587.003)
id: df00tech-t1587-003
status: experimental
description: "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust and include key information, owner identity, and a digital signature from a verifying entity. In the case of self-signing, these certificates lack third-party CA trust but remain functional for encrypting traffic. Adversaries create self-signed certificates to encrypt C2 communications (as seen with APT29/WellMess using mutual TLS authentication), to enable adversary-in-the-middle attacks if installed as a trusted root certificate, or to impersonate legitimate services. PROMETHIUM used self-signed certificates for HTTPS C2, Gamaredon Group reused the same TLS certificate across infrastructure clusters, and Storm-0501 spoofed a 'Microsoft IT TLS CA 5' self-signed certificate. Detection must focus on observable side-effects: certificate generation tool execution on compromised hosts, suspicious certificate store modifications, and network TLS connections bearing anomalous certificate properties."
references:
  - https://attack.mitre.org/techniques/T1587/003/
  - https://df00tech.com/detections/T1587.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1587.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Development teams using openssl or New-SelfSignedCertificate to generate local development HTTPS certificates for localhost testing
  - PKI administrators and IT operations staff managing internal certificate authority infrastructure and importing trusted root certificates from enterprise CAs
  - "DevOps pipelines (Jenkins, GitLab CI, GitHub Actions runners on Windows) that generate ephemeral self-signed certificates for containerized test environments"
  - Security penetration testers and red team operators running authorized exercises involving certificate-based C2 simulation
  - "Web server configuration scripts (IIS setup, Nginx automation) that auto-generate self-signed certificates during initial service configuration"
  - "Monitoring and observability agents (Datadog, Elastic Agent) that manage their own TLS certificates for encrypted data shipping"
level: medium