DET0848: Detection of Digital Certificates
DET0848 is a detection strategy reference for adversary use of digital certificates in resource development. The business issue is trust abuse: certificate...
Analyst context for executives and security teams
DET0848 is a detection strategy reference for adversary use of digital certificates in resource development. The business issue is trust abuse: certificates can make adversary-controlled infrastructure appear legitimate, which can weaken user confidence, filtering decisions, and incident triage if certificate evidence is not collected and reviewed.
Executive priority
Treat this as a readiness question rather than a guaranteed detection capability. Leaders should ask whether security teams can identify suspicious certificate use tied to external infrastructure before or during an incident, and whether that evidence is available to support response decisions, supplier/domain trust reviews, and audit explanations around phishing, impersonation, or malicious infrastructure risk.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics of its own. Its only provided relationship is that it detects T1588.004: Digital Certificates, a PRE-platform resource-development technique where adversaries may buy or steal SSL/TLS certificates for targeting. SOC and IR teams should validate whether certificate-related observations from internet-facing activity, network connections, domain investigations, and threat intelligence enrichment are available and correlated with suspected adversary infrastructure.
Likely telemetry
- SSL/TLS certificate metadata observed in network traffic or proxy logs
- Certificate transparency or external certificate intelligence records
- DNS, domain, and hosting enrichment associated with certificate subjects, issuers, SANs, and validity periods
- Web gateway, firewall, or network security logs containing destination certificate details where available
- Incident response evidence linking suspicious infrastructure to certificate reuse or newly issued certificates
Detection direction
- Confirm which tools actually preserve certificate fields; many environments log domains and IPs but not certificate issuer, subject, SAN, serial number, fingerprint, or validity dates.
- Look for analytic value in correlation rather than single indicators: certificate reuse, unusual naming, newly observed certificates, or certificate metadata associated with suspicious infrastructure may be more useful when combined with DNS, proxy, and threat intelligence context.
- Tune carefully for false positives because legitimate certificate issuance, renewal, CDN use, and shared hosting can create noisy certificate patterns.
- Use the relationship to T1588.004 to frame this as pre-compromise/resource-development visibility; absence of endpoint telemetry does not necessarily mean absence of risk.
Mitigation priorities
- Inventory where certificate metadata is collected and retained across network, proxy, cloud, and threat intelligence workflows.
- Prioritize enrichment and correlation of certificate observations with domains, IPs, and known investigation artifacts.
- Define IR playbook steps for reviewing certificate metadata when investigating suspicious infrastructure or impersonation concerns.
- Use findings to support broader trust-control decisions, such as domain monitoring, phishing defense, and external attack surface review, without treating certificate signals as standalone proof of maliciousness.
Analyst notes and limits
This take is intentionally conservative because the ATT&CK detection strategy record provides no official description or detection guidance. The strongest supported context is the detects relationship to T1588.004, Digital Certificates, under resource development for PRE-platform activity.
No platforms, tactics, official detection logic, data sources, analytics, mitigations, or examples were supplied for DET0848. Local telemetry architecture and enrichment sources are required to determine practical coverage.
Detection of Digital Certificates
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588.004 | Digital Certificates Sub-technique | This object detects Digital Certificates. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9aefb3428385… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0848Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.