Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1596.003: Digital Certificates

Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.

Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.[1] Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).[2] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Phishing for Information), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Trusted Relationship).

EnterpriseT1596.003Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Digital Certificates is a pre-compromise reconnaissance technique: adversaries can use public certificate data to learn organization names, locations, domains, and exposed services before engaging the target. The business issue is not the certificate itself, but the unintended map it can provide for follow-on reconnaissance, phishing preparation, operational resource setup, or attempts against external remote services and trusted relationships.

Executive priority

Treat public certificate data as part of external attack surface governance. Leaders should ask whether the organization knows what certificates publicly reveal, whether certificate-discovered assets match approved internet-facing inventory, and whether this evidence is available for audits, incident scoping, and pre-compromise risk reduction. Priority is highest where certificates expose sensitive naming, locations, third-party relationships, or unmanaged external services.

Technical view

This sub-technique sits under Search Open Technical Databases in the Reconnaissance tactic and applies to the PRE platform. ATT&CK does not provide official detection text, but a related detection strategy, DET0831 Detection of Digital Certificates, is linked. SOC and detection engineering teams should focus on validating visibility into publicly available certificate metadata and externally served certificates, then correlating certificate findings with asset inventory, external exposure management, and later indicators such as active scanning, phishing-for-information activity, external remote service targeting, or trusted-relationship abuse.

Likely telemetry

  • Public certificate lookup results and certificate metadata for organization-associated domains
  • Externally served SSL/TLS certificate details from internet-facing services
  • Certificate data from organization-signed artifacts where applicable
  • Approved certificate and domain inventories
  • External asset inventory showing hosts, domains, services, and ownership

Detection direction

  • Do not assume adversary lookups are directly observable; this is PRE reconnaissance and often occurs through public resources outside enterprise logging.
  • Validate DET0831 or equivalent logic against local asset and certificate inventories rather than relying on endpoint or network telemetry alone.
  • Alerting should prioritize unknown, unexpected, or sensitive certificate disclosures, such as unapproved domains, revealing organization/location data, or certificates tied to unmanaged internet-facing services.
  • Tune for legitimate activity: administrators, auditors, researchers, certificate authorities, and external monitoring tools may all interact with certificate data or lookup services.
  • Use relationship-driven pivots: certificate findings may inform follow-on checks for Active Scanning, Phishing for Information, Develop/Obtain Capabilities, External Remote Services, and Trusted Relationship exposure.

Mitigation priorities

  • Apply M1056 Pre-compromise controls by reducing unnecessary public information and making reconnaissance less useful.
  • Maintain an authoritative inventory of public certificates, domains, and externally exposed services.
  • Review certificate subject and organization metadata for avoidable disclosure of sensitive names, locations, or relationships.
  • Compare public certificate-derived assets against approved business ownership and decommission unmanaged or unnecessary exposures.
  • Integrate certificate review into external attack surface management, incident response scoping, and compliance evidence for internet-facing assets.
Analyst notes and limits

This technique is most valuable as an early warning and exposure-management use case, not as a standalone intrusion detection. Its decision value comes from revealing what an adversary can learn before contacting the organization. The linked parent technique, Search Open Technical Databases, reinforces that certificate data should be assessed alongside other public technical databases.

Official ATT&CK detection text is not provided for this object. The mitigation relationship is general pre-compromise guidance, not a certificate-specific control list. Local validation is required to determine what certificate data is exposed, what is approved, and whether subsequent activity is related or benign.

Official MITRE ATT&CK definition

Digital Certificates

Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.

Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.[1] Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).[2] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Phishing for Information), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Trusted Relationship).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1596 Search Open Technical Databases This object subtechnique of Search Open Technical Databases.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1596: Search Open Technical Databases Enterprise detects · Detection Strategy DET0831: Detection of Digital Certificates Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
164dd58e7d177347...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 164dd58e7d17…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SSLShopper Lookup

    SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    Medium SSL Cert

    Jain, M. (2019, September 16). Export & Download — SSL Certificate from Server (Site URL). Retrieved October 20, 2020.

    Open source URL
  3. [3]
    mitre-attack T1596.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use