Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0844: Detection of Digital Certificates

DET0844 is a detection strategy for adversary-created digital certificates associated with ATT&CK technique T1587.003, Digital Certificates. The business v...

EnterpriseDET0844Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0844 is a detection strategy for adversary-created digital certificates associated with ATT&CK technique T1587.003, Digital Certificates. The business value is early warning: certificates can be part of pre-compromise infrastructure preparation, so finding suspicious certificate creation or use may help security teams identify adversary staging before direct intrusion activity is visible in endpoint or identity telemetry.

Executive priority

Treat this as a threat intelligence and detection-engineering priority for reducing attacker dwell time before an incident begins. Leaders should ask whether the organization can observe suspicious SSL/TLS certificate patterns tied to external infrastructure, whether those observations are reviewed by the SOC or threat intelligence function, and whether findings can feed incident response decisions, blocking, and risk reporting. Because the ATT&CK object provides no official detection logic or platform scope, investment decisions should be based on local exposure, available telemetry, and how important early infrastructure detection is to business continuity and incident readiness.

Technical view

This strategy detects T1587.003, which is a resource-development technique on the PRE platform. SOC and threat intelligence teams should validate whether they collect and analyze certificate-related evidence from external scanning, certificate transparency sources, TLS observations, and network security tooling. Detection should focus on identifying certificates that appear suspicious in context, such as self-signed certificates, unusual certificate metadata, unexpected domains or naming patterns, or certificates associated with infrastructure relevant to the organization. Any alert should be enriched with domain, IP, certificate issuer, subject, validity dates, and relationship to known organizational assets before escalation.

Likely telemetry

  • Certificate transparency log observations
  • TLS handshake and certificate metadata from network sensors or proxies
  • External attack surface monitoring records
  • DNS and domain registration context related to observed certificates
  • Threat intelligence enrichment for domains, IPs, and certificate fingerprints

Detection direction

  • Confirm which teams own monitoring of certificate-related infrastructure signals, since the ATT&CK object does not specify a platform or detection procedure.
  • Tune detections around suspicious certificate characteristics and organizational relevance rather than treating all self-signed certificates as malicious.
  • Correlate certificate observations with DNS, IP, domain registration, and external exposure data to reduce false positives.
  • Use the relationship to T1587.003 to frame detections as pre-compromise/resource-development leads, not proof of intrusion.
  • Document blind spots where certificate transparency, external scanning, TLS inspection, or threat intelligence feeds are unavailable or not retained.

Mitigation priorities

  • Establish ownership for certificate and external infrastructure monitoring between SOC, threat intelligence, and attack surface management functions.
  • Prioritize visibility first: ensure certificate metadata, external domain context, and TLS observations can be collected and searched.
  • Define triage playbooks for suspicious certificates, including enrichment, asset relevance checks, and escalation criteria.
  • Where suspicious infrastructure is relevant to the organization, feed indicators into monitoring, blocking, and incident response workflows according to local policy.
  • Maintain audit evidence showing monitoring sources, review cadence, alert disposition, and control gaps for compliance and readiness discussions.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, no tactics, and no platforms specified. The only behavioral context is its relationship to T1587.003 Digital Certificates, described as adversaries creating self-signed SSL/TLS certificates during resource development. Recommendations therefore focus on defensive validation and governance rather than specific detection logic.

This take does not assert active exploitation, actor attribution, available coverage, or affected platforms. Local telemetry, certificate visibility, business domain context, and SOC process maturity are required to determine practical detection value and priority.

Official MITRE ATT&CK definition

Detection of Digital Certificates

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1587.003 Digital Certificates Sub-technique This object detects Digital Certificates.
Relationship explorer

All related ATT&CK context

detects · Technique T1587.003: Digital Certificates Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bae2e6932654513f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bae2e6932654…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0844
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use