title: Digital Certificates (T1588.004)
id: df00tech-t1588-004
status: experimental
description: "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic or enabling Adversary-in-the-Middle attacks if the certificate is trusted or added to the root of trust. Free certificate authorities (e.g., Let's Encrypt) enable adversaries to acquire certificates at no cost. Compromised certificate authority infrastructure (e.g., DigiNotar) allows issuance of fraudulent certificates for any domain. After obtaining a digital certificate, an adversary may install it on infrastructure under their control to legitimize malicious communications."
references:
  - https://attack.mitre.org/techniques/T1588/004/
  - https://df00tech.com/detections/T1588.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1588.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise software deployments pushing corporate root CA certificates via SCCM, Intune, or GPO — msiexec.exe or specific application installers will modify certificate stores during installation"
  - "Browser auto-updates (Chrome, Edge, Firefox) that maintain bundled root certificate programs and refresh them via their update processes"
  - "VPN client software and SSL inspection proxy agents (Zscaler, Netskope, Blue Coat) installing their TLS inspection root certificates during agent deployment"
  - "Security products (EDR agents, DLP tools) that install their own root CAs for local HTTPS inspection during initial endpoint enrollment"
level: high