Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1972: Analytic 1972

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Detection efforts may be focused on related behaviors, such as Web Protocols or Asymmetric Cryptography.

EnterpriseAN1972AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about using Internet-wide certificate information as threat intelligence, not endpoint detection. For leaders, the value is infrastructure discovery: TLS/SSL certificate reuse or shared certificate attributes can help uncover related external infrastructure before or during an investigation. It is most useful as a pre-compromise enrichment and hunting aid, especially when paired with monitoring for web protocols or encrypted communications.

Executive priority

Prioritize this where investigations, threat intelligence, or exposure management depend on finding related domains, hosts, or services quickly. The business decision is whether the organization has access to certificate intelligence and a repeatable process to use it as evidence during incident response, external attack surface review, and detection enrichment. It should not be treated as a standalone control or proof of compromise because ATT&CK provides no detection logic for this analytic.

Technical view

SOC, threat intelligence, and IR teams should validate whether they can search certificate transparency or similar certificate-tracking data by certificate fields associated with known suspicious infrastructure. Use the results as pivots for additional investigation, then corroborate with telemetry tied to related behaviors such as Web Protocols (T1071.001) or Asymmetric Cryptography (T1573.002). Because the platform is PRE, this is best framed as external intelligence and pre-incident hunting rather than host, network, or cloud control-plane telemetry.

Likely telemetry

  • Certificate transparency or Internet certificate tracking data
  • TLS/SSL certificate metadata such as issuer, subject, SANs, serial number, validity periods, and fingerprints
  • External domain, IP, and hosting enrichment tied to certificate pivots
  • Proxy, DNS, firewall, or network session logs for corroborating contact with discovered infrastructure
  • Web protocol and encrypted communication telemetry where available

Detection direction

  • Confirm whether analysts can pivot from known certificate attributes to additional domains, hosts, or services.
  • Treat certificate matches as leads, not detections; tune workflows to require corroboration from DNS, proxy, firewall, web, or encrypted-session evidence.
  • Watch for false positives from shared hosting, content delivery networks, managed certificate services, and common certificate authorities.
  • Map any resulting observations to related behaviors such as Web Protocols (T1071.001) or Asymmetric Cryptography (T1573.002) only when local telemetry supports that activity.
  • Document gaps where certificate intelligence is available but not integrated into SOC triage or incident response procedures.

Mitigation priorities

  • Establish access to reputable certificate-tracking or certificate transparency search capability for threat intelligence and IR use.
  • Define an investigation playbook for certificate pivots, including required corroborating evidence before escalation.
  • Integrate certificate-derived infrastructure leads into external attack surface management, detection enrichment, and incident response evidence handling.
  • Ensure logging for DNS, proxy, firewall, and relevant web traffic is retained long enough to validate whether discovered infrastructure was contacted.
  • Review analyst training so certificate reuse is understood as an investigative signal with known blind spots, not a definitive indicator by itself.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic with no formal detection field and no relationship context. Its practical use is intelligence-driven pivoting on certificates across Internet-visible infrastructure. The cited Splunk reference supports the concept of hunting with TLS/SSL certificates, but local tooling, data access, and analyst process determine whether this creates operational value.

No tactics are specified, the only platform is PRE, and no official detection logic is provided. There are no supplied relationships to specific groups, software, campaigns, mitigations, or data sources. Any assessment of coverage, exploitation, attribution, or customer exposure requires local evidence outside the supplied STIX fields.

Official MITRE ATT&CK definition

Analytic 1972

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Detection efforts may be focused on related behaviors, such as Web Protocols or Asymmetric Cryptography.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
644a3c86785ab7c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 644a3c86785a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Splunk Kovar Certificates 2017

    Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.

    Open source URL
  2. [2]
    mitre-attack AN1972
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use