Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0840: Detection of Install Digital Certificate

DET0840 is a detection strategy for spotting adversary resource development involving installation of SSL/TLS digital certificates. The business value is n...

EnterpriseDET0840Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0840 is a detection strategy for spotting adversary resource development involving installation of SSL/TLS digital certificates. The business value is not just finding a certificate; it is validating whether the organization can notice when external infrastructure is being prepared to look trustworthy before phishing, malware delivery, or other targeting activity. Because the official detection strategy has no description or detection logic, teams should treat this as a coverage-validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this where external trust, brand abuse, phishing readiness, and incident response lead time matter. Leaders should ask whether security teams can identify suspicious certificate use tied to domains, infrastructure, or impersonation patterns relevant to the organization, and whether that evidence can support takedown, legal, communications, and incident response decisions. This is especially useful for threat intelligence and managed detection programs that monitor pre-compromise adversary preparation, but local requirements and data access will determine practical coverage.

Technical view

The supplied relationship maps DET0840 to ATT&CK T1608.003, Install Digital Certificate, under resource development with PRE platform context. SOC, threat intelligence, and detection engineering teams should validate visibility into certificate-related signals associated with suspicious or newly prepared infrastructure. Because ATT&CK provides no official detection text for this detection strategy, implementation should be based on locally approved intelligence requirements, known-good certificate/domain inventories, and correlation with related resource-development observations rather than a single indicator match.

Likely telemetry

  • Certificate transparency log monitoring or third-party certificate intelligence relevant to organizational domains, brands, and lookalikes
  • DNS and domain registration intelligence associated with infrastructure using newly issued certificates
  • External attack surface management observations for certificates on internet-facing services
  • Threat intelligence reporting that links certificates, domains, IP addresses, or hosting infrastructure
  • Internal inventory of legitimate organization-owned certificates and expected certificate authorities

Detection direction

  • Validate whether monitoring distinguishes legitimate certificate issuance from suspicious certificates on lookalike domains, unexpected infrastructure, or infrastructure not owned by the organization.
  • Tune for context: certificate issuance alone is common and noisy, so correlate with domain age, naming similarity, hosting patterns, DNS changes, and other resource-development signals where available.
  • Confirm that detections do not assume endpoint or cloud telemetry coverage, because the detection strategy object does not specify platforms and the related technique is PRE-focused.
  • Establish review paths for suspicious external certificates so analysts can triage ownership, business legitimacy, and potential impersonation without over-escalating benign certificates.
  • Measure gaps in certificate transparency coverage, brand/domain monitoring scope, and handoff between threat intelligence, SOC, legal, communications, and incident response teams.

Mitigation priorities

  • Maintain an authoritative inventory of legitimate domains, certificates, certificate authorities, and external services to reduce false positives and speed triage.
  • Define monitoring requirements for brand, domain, and certificate abuse, including lookalike naming patterns and critical business units or products.
  • Create an escalation workflow for suspicious external certificates that includes validation, evidence capture, potential takedown coordination, and incident response decision points.
  • Integrate certificate-related findings with threat intelligence and external attack surface management rather than treating them as isolated alerts.
  • Use this detection strategy as compliance and resilience evidence only after documenting data sources, review procedures, response ownership, and known monitoring limitations.
Analyst notes and limits

This object is a MITRE ATT&CK detection strategy, DET0840, and it detects T1608.003 Install Digital Certificate. The related technique describes adversaries installing SSL/TLS certificates for use during targeting. The object itself does not provide official detection logic, platforms, tactics, aliases, or labels, so the most defensible use is as a prompt to validate certificate-abuse monitoring and response workflows.

The official ATT&CK fields supplied for DET0840 are sparse: no description, no detection text, and no platforms or tactics are specified on the detection strategy itself. The only behavioral context comes from the relationship to T1608.003 and its partial description. Any concrete analytic thresholds, tooling choices, or claims of coverage require local telemetry, business context, and validation evidence.

Official MITRE ATT&CK definition

Detection of Install Digital Certificate

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1608.003 Install Digital Certificate Sub-technique This object detects Install Digital Certificate.
Relationship explorer

All related ATT&CK context

detects · Technique T1608.003: Install Digital Certificate Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2dcc467f85b9d407...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2dcc467f85b9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0840
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use