T1608.003: Install Digital Certificate
Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.[1]
Adversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers.
Adversaries can obtain digital certificates (see Digital Certificates) or create self-signed certificates (see Digital Certificates). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).
Analyst context for executives and security teams
Installing a digital certificate is a pre-compromise staging behavior: an adversary prepares infrastructure so it can look trustworthy and support encrypted communications. For leaders, the practical risk is not the certificate itself, but what it enables next: credible credential-harvesting sites, encrypted command-and-control traffic, or other staged capabilities that may be harder for users and defenders to distinguish from legitimate services.
Executive priority
Treat this as an early-warning and readiness issue in the Resource Development phase. Because ATT&CK provides no official detection text for this sub-technique, executives should ask whether the organization has practical visibility into suspicious certificate use, brand/domain abuse, and TLS-enabled infrastructure that may be used before an intrusion is obvious. This is especially relevant for SOC coverage validation, incident response triage, pre-compromise monitoring, and evidence that the organization is proactively reducing attack surface rather than only reacting after compromise.
Technical view
This is a PRE-platform, Resource Development sub-technique under Stage Capabilities. SOC and detection teams should validate whether they can observe or investigate SSL/TLS certificates associated with suspicious web or email infrastructure, especially where certificates support encrypted C2 patterns or credential-harvesting sites as described by ATT&CK. The relationship to DET0840 indicates a detection strategy exists, but the supplied ATT&CK object does not include its detection logic. The relationship to Sea Turtle should be treated as threat-intelligence context only, not evidence of activity in any environment.
Likely telemetry
- TLS/SSL certificate metadata observed from network connections, proxies, sensors, or TLS inspection where legally and operationally appropriate
- Web and email server exposure and certificate inventory for organization-controlled infrastructure
- Certificate transparency or external certificate monitoring data, if available to the organization
- DNS and domain registration context used to correlate certificates with suspicious or lookalike infrastructure
- Network flow, proxy, and web gateway records showing encrypted communications to newly observed or unusual certificate-bearing hosts
Detection direction
- Validate whether detections can correlate certificate metadata with domains, infrastructure ownership, and newly observed encrypted destinations rather than relying only on IP or domain indicators.
- Tune for suspicious context: unexpected certificate issuers or subjects, certificates associated with lookalike domains, newly observed TLS services, or certificate use on infrastructure not in the approved inventory.
- Account for false positives from legitimate certificate rotation, cloud-hosted services, content delivery networks, and routine web/email server maintenance.
- Use DET0840 as a pointer to detection coverage, but require local rule logic, telemetry sources, and test evidence because no official detection text is provided in the supplied ATT&CK fields.
- For organizations tracking Sea Turtle-relevant risks, include certificate and DNS infrastructure monitoring in threat-informed hunting without assuming attribution.
Mitigation priorities
- Apply the ATT&CK M1056 Pre-compromise mitigation concept: focus on proactive measures that reduce exposure and make adversary preparation easier to identify.
- Maintain an accurate inventory of owned domains, externally exposed web/email services, and authorized certificates so suspicious certificate use has a baseline for comparison.
- Monitor for suspicious certificate issuance or use tied to organizational names, domains, or lookalike infrastructure where monitoring capability is available.
- Strengthen DNS, registrar, and external infrastructure governance where relevant, especially for organizations concerned with service-provider or DNS-related intrusion paths.
- Ensure incident response playbooks include certificate, DNS, web, and email infrastructure review when investigating suspected credential harvesting or encrypted C2 staging.
Analyst notes and limits
This object is most useful as a planning signal for pre-compromise visibility. It connects certificate installation to later operational uses such as encrypted C2 over web protocols and credible credential-harvesting infrastructure. The supplied relationships show this is part of Stage Capabilities, is mitigated by Pre-compromise measures, is detected by DET0840, and is associated with Sea Turtle usage in ATT&CK.
ATT&CK provides no official detection content for this object in the supplied fields, and the related DET0840 details are not included. The object is scoped to PRE and Resource Development, so local telemetry, external monitoring coverage, legal constraints around TLS inspection, and organizational domain/certificate inventory determine how actionable this becomes. No active exploitation or customer exposure should be inferred from this ATT&CK entry alone.
Install Digital Certificate
Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.[1]
Adversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers.
Adversaries can obtain digital certificates (see Digital Certificates) or create self-signed certificates (see Digital Certificates). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608 | Stage Capabilities | This object subtechnique of Stage Capabilities. |
Groups, software, and campaigns
G1041: Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e6596397536f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DigiCert Install SSL Cert
DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021.
Open source URL -
[2]
Splunk Kovar Certificates 2017
Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.
Open source URL -
[3]
mitre-attack T1608.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.