MITRE ATT&CK® Data Component

DC0093: Certificate Registration

Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates. Sources such as Certificate Transparency logs and other public resources provide visibility into certificates issued for specific domains or organizations. Monitoring certificate registrations can help identify potential misuse, such as unauthorized certificates or signs of adversary reconnaissance. Examples:

- Certificate Transparency Logs: These logs record the issuance of SSL/TLS certificates by trusted Certificate Authorities (CAs). - Revoked Certificates: Information about certificates that have been invalidated before their expiration date. - Expired Certificates: Reports of expired certificates for a domain, which may indicate lax security practices or opportunities for adversaries to exploit expired credentials. - Domain Monitoring for Certificates: Maps SSL/TLS certificates to domains and subdomains, helping to identify any rogue certificates. - Public Certificate Directories: Services providing APIs to query issued certificates for analysis.

This data component can be collected through the following measures:

Use Certificate Transparency Monitors

- Tools like crt.sh, CertStream, or APIs provided by certificate authorities (CAs) allow you to monitor issued certificates in real-time. - Example: Use CertStream to stream certificate issuance logs and filter for domains of interest.

Analyze Certificate Revocation Sources

- Monitor CRLs or query OCSP responders to detect revoked certificates. - Configure tools like OpenSSL or browsers to validate certificate revocation status automatically.

Leverage Public Scanning Tools

- Use tools such as SSL Labs, Censys, or Shodan to scan for certificate details related to your domain or network.

Automate Certificate Monitoring

- Set up automated scripts or services to parse Certificate Transparency logs for anomalies. - Example: Automate searches on crt.sh to identify certificates issued for typo-squatted domains.

Integrate with Threat Intelligence

- Enrich certificate data with threat intelligence feeds to detect connections to known adversary-controlled infrastructure. - Tools like VirusTotal can identify malicious certificates based on associated indicators.

EnterpriseDC0093Data ComponentObject v2.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

Discuss defensive coverage Back to ATT&CK

Certificate Registration is a visibility source for knowing what digital certificates exist for an organization’s domains, including newly issued, revoked, and expired certificates. For leaders, its value is early awareness: unexpected certificates, typo-squatted domain certificates, or neglected expired/revoked certificate signals can indicate brand abuse, weak certificate governance, or infrastructure that needs investigation before it affects trust, availability, or incident response decisions.

Executive priority

Treat certificate registration monitoring as part of external attack surface governance and evidence for security hygiene. Executives should ask whether the organization can quickly identify certificates issued for its domains and lookalike domains, verify revocation and expiration status, and escalate suspicious findings to SOC, incident response, or domain management owners. This supports operational resilience, audit/compliance evidence around certificate management, and prioritization of controls for public-facing services and brand protection.

Technical view

SOC, detection engineering, threat intelligence, and IR teams should validate whether Certificate Transparency logs, certificate revocation sources, public certificate directories, and public scanning services are being collected or queried for domains of interest. Because no ATT&CK detection text, tactics, platforms, or relationships are supplied, coverage should be framed as monitoring and enrichment rather than technique-specific detection. Practical validation should focus on alerting for unexpected certificate issuance, certificates for typo-squatted or unauthorized domains, revoked or expired certificates tied to organizational assets, and certificate metadata that links to suspicious infrastructure through approved threat intelligence enrichment.

Likely telemetry

Certificate Transparency log entries for organizational domains and relevant lookalike domains
Certificate Authority issuance metadata for SSL/TLS certificates
Certificate revocation information from CRLs or OCSP responders
Expired certificate reports for organizational domains
Public certificate directory/API results such as certificate-to-domain and subdomain mappings

Detection direction

Confirm the monitored domain list is complete, including subsidiaries, brands, critical services, and likely typo-squatting patterns where appropriate.
Tune alerts for newly issued certificates that do not match known certificate authorities, expected naming patterns, approved owners, or asset inventory records.
Review revoked and expired certificate findings separately: they may indicate operational hygiene issues, abandoned infrastructure, or investigation leads, but can also generate benign noise.
Correlate certificate findings with asset inventory, domain ownership records, and threat intelligence before escalating as suspicious.
Account for blind spots: public logs and public scanning may not reflect complete internal certificate use, and ATT&CK provides no platform-specific detection guidance for this data component.

Mitigation priorities

Establish ownership for certificate inventory, domain monitoring, revocation review, and expiration management.
Automate monitoring of Certificate Transparency logs and public certificate sources for domains of interest.
Maintain an approved certificate authority and certificate owner baseline to support triage of unexpected issuance.
Integrate certificate findings with asset inventory, threat intelligence, and incident response workflows.
Use recurring review of expired and revoked certificates as evidence for certificate lifecycle governance and compliance readiness.

Analyst notes and limits

This object is a data component, not a technique, and has no supplied tactics, platforms, detection text, or relationship context. The strongest use is as an external visibility and enrichment source for certificate governance, threat intelligence, SOC triage, and incident response readiness. Local domain inventory quality will largely determine whether monitoring produces actionable findings or excessive noise.

The supplied ATT&CK fields do not support claims about specific adversaries, active exploitation, affected platforms, or guaranteed detection outcomes. Public certificate sources may be incomplete for some local governance questions, and suspicious certificate registration requires validation against organizational ownership, certificate authority records, and asset context.

Official MITRE ATT&CK definition

Certificate Registration

This data component can be collected through the following measures:

Use Certificate Transparency Monitors

Analyze Certificate Revocation Sources

- Monitor CRLs or query OCSP responders to detect revoked certificates. - Configure tools like OpenSSL or browsers to validate certificate revocation status automatically.

Leverage Public Scanning Tools

- Use tools such as SSL Labs, Censys, or Shodan to scan for certificate details related to your domain or network.

Automate Certificate Monitoring

- Set up automated scripts or services to parse Certificate Transparency logs for anomalies. - Example: Automate searches on crt.sh to identify certificates issued for typo-squatted domains.

Integrate with Threat Intelligence

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 20, 2021, 15:05 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 82c3c821ada3a2f2...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`82c3c821ada3…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DC0093
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use