title: Digital Certificates (T1596.003)
id: df00tech-t1596-003
status: experimental
description: "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by certificate authorities (CAs) to cryptographically verify the origin of signed content. Certificates used for encrypted web traffic (HTTPS/TLS) contain registered organization details including name, location, and infrastructure hostnames. Threat actors leverage certificate transparency (CT) logs, public databases (crt.sh, Censys, Shodan), and active TLS probing to enumerate an organization's certificate inventory — revealing subdomains, internal hostnames leaked via Subject Alternative Name (SAN) entries, certificate expiry windows for timing attacks, CA relationships, and organizational unit naming conventions. This reconnaissance informs subsequent targeting through subdomain discovery, phishing infrastructure construction mimicking legitimate certificates, and identification of expired or misconfigured certificates as initial access vectors. Because this technique primarily occurs on adversary-controlled infrastructure outside the victim network, detection is constrained to identifying the activity when performed from monitored endpoints (insider threat, post-compromise recon, or authorized red team)."
references:
  - https://attack.mitre.org/techniques/T1596/003/
  - https://df00tech.com/detections/T1596.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1596.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security team running TLS vulnerability assessments or certificate audits using sslyze, sslscan, or testssl.sh against internal or external infrastructure"
  - "DevSecOps pipelines querying crt.sh or CertSpotter APIs to monitor the organization's own certificate inventory for expiring, unauthorized, or mis-issued certificates"
  - "Network engineers using openssl s_client for TLS debugging, cipher suite negotiation verification, or certificate chain validation during incident response"
  - "Automated certificate monitoring or renewal tools (Certbot, ACME clients, internal PKI management scripts) performing certificate transparency checks or CA API queries"
  - Penetration testers on authorized engagements performing external attack surface mapping that includes certificate reconnaissance
level: medium