Develop Capabilities: Digital Certificates
Before compromising a victim, adversaries may create self-signed or CA-signed SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.
An SSL/TLS certificate is most reliable when issued by a trusted Certificate Authority (CA). When a certificate authority (CA) signs the certificate or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party using the corresponding private key.
Self-signed X.509 SSL/TLS certificates will not be trusted for public-facing applications and are mainly used to encrypt and authenticate data within an organization’s network.
Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for, using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.
Created: 20 December 2020
Last Modified: 27 December 2020