title: Install Digital Certificate (T1608.003)
id: df00tech-t1608-003
status: experimental
description: "Adversaries may install SSL/TLS certificates on infrastructure they control — whether acquired or compromised — to encrypt command-and-control traffic, lend credibility to credential harvesting sites, or enable adversary-in-the-middle operations. Certificate installation occurs entirely on adversary infrastructure and produces no telemetry within the victim environment. Sea Turtle (G1041) exemplifies this technique by capturing legitimate SSL certificates from victim organizations and installing them on attacker-controlled servers to conduct adversary-in-the-middle attacks against DNS infrastructure. Detection must rely on downstream signals: TLS certificate anomalies observed when victim systems connect to adversary infrastructure via proxy or NGFW TLS inspection, email security alerts for HTTPS phishing URLs, and certificate transparency (CT) log monitoring for adversary-registered domains."
references:
  - https://attack.mitre.org/techniques/T1608/003/
  - https://df00tech.com/detections/T1608.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1608.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Internal development, test, or lab environments using self-signed certificates for services that should not be exposed externally but are reachable via proxy"
  - Legacy applications with hardcoded certificate subjects that no longer match the current hostname following a server rename or migration
  - "Internal Certificate Authorities (CAs) whose root certificates were not imported into the monitoring infrastructure, causing valid internal certificates to appear self-signed"
  - "CDN providers (Cloudflare, Akamai, Fastly) presenting wildcard certificates where the wildcard CN does not exactly match the specific subdomain being accessed"
  - "VPN concentrators, reverse proxies, or internal load balancers presenting a shared certificate that does not match every individual backend hostname"
level: medium