Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1976: Analytic 1976

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Detection efforts may be focused on related behaviors, such as Web Protocols , Asymmetric Cryptography , and/or Install Root Certificate .

EnterpriseAN1976AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about using Internet-wide certificate visibility to find related infrastructure. For leaders, the value is not that a certificate proves malicious activity; it is that certificates can provide a repeatable clue for threat intelligence, incident scoping, and early investigation when adversary infrastructure may share certificate attributes.

Executive priority

Prioritize this as a threat intelligence and investigation capability rather than a standalone detection control. It can help security teams expand from one known site or certificate to related infrastructure, supporting faster incident decisions and better evidence for why certain domains, IPs, or services deserve monitoring or blocking review. Its business value depends on whether the organization has access to certificate intelligence sources and a process to turn pivots into validated defensive actions.

Technical view

SOC, threat intelligence, and IR teams should validate whether they can pivot on certificate attributes from known infrastructure and correlate the results with related behaviors named by ATT&CK: Web Protocols, Asymmetric Cryptography, and Install Root Certificate. Because ATT&CK provides no specific detection logic for AN1976, teams should treat certificate pivots as enrichment and lead generation, then confirm findings with local network, endpoint, proxy, DNS, TLS, and certificate trust evidence where available.

Likely telemetry

  • Certificate transparency or Internet certificate intelligence data
  • TLS/SSL certificate metadata, including issuer, subject, serial number, validity period, SANs, and fingerprints where available
  • DNS and passive DNS context for domains associated with certificates
  • Network, proxy, or web gateway logs showing connections to domains or hosts using relevant certificates
  • Endpoint or certificate store evidence when investigating possible root certificate installation

Detection direction

  • Do not treat shared certificate attributes alone as proof of adversary infrastructure; validate with additional context such as hosting, DNS, traffic, timing, and known behavior.
  • Tune investigations around certificate reuse, unusual certificate relationships, or pivots from already-known suspicious infrastructure.
  • Correlate certificate-derived leads with ATT&CK-related behaviors: Web Protocols, Asymmetric Cryptography, and Install Root Certificate.
  • Document false-positive handling, especially for shared hosting, CDNs, certificate automation, and legitimate certificate reuse patterns.
  • Confirm whether current tools retain enough certificate metadata to support historical pivots, not just real-time alerts.

Mitigation priorities

  • Establish an intelligence workflow for certificate pivoting and evidence review before operational action is taken.
  • Ensure SOC and IR teams can access relevant certificate intelligence and correlate it with DNS, network, proxy, and endpoint data.
  • Define decision criteria for when certificate-derived infrastructure is monitored, blocked, escalated, or dismissed.
  • Review certificate trust and root certificate monitoring where the environment supports it, particularly because ATT&CK references Install Root Certificate as a related behavior.
  • Use findings to improve investigation playbooks and compliance evidence around threat hunting and incident response readiness.
Analyst notes and limits

AN1976 is a detection analytic in the enterprise ATT&CK domain with platform listed as PRE. The official description points to certificate tracking services and certificate-based pivoting, with related focus areas of Web Protocols, Asymmetric Cryptography, and Install Root Certificate. No explicit ATT&CK detection logic, tactics, or relationships were supplied.

This take is constrained by sparse ATT&CK fields. It does not establish active exploitation, attribution, affected organizations, or guaranteed detection. Local value depends on available certificate intelligence, telemetry retention, analyst workflow, and validation against organization-specific traffic and assets.

Official MITRE ATT&CK definition

Analytic 1976

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[1] Detection efforts may be focused on related behaviors, such as Web Protocols , Asymmetric Cryptography , and/or Install Root Certificate .

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
62cab35c3c7e544b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 62cab35c3c7e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Splunk Kovar Certificates 2017

    Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.

    Open source URL
  2. [2]
    mitre-attack AN1976
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use