Develop Capabilities: Digital Certificates

Before compromising a victim, adversaries may create self-signed or CA-signed SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.

An SSL/TLS certificate is most reliable when issued by a trusted Certificate Authority (CA). When a certificate authority (CA) signs the certificate or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party using the corresponding private key.

Self-signed X.509 SSL/TLS certificates will not be trusted for public-facing applications and are mainly used to encrypt and authenticate data within an organization’s network.[1]

Adversaries may use self-signed certificates to encrypt C2 traffic (ex: Web Protocols) or establish Man-in-the-Middle if added to the root of trust (i.e. Install Root Certificate).[2]

Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for, using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity.

Otherwise, adversaries may Obtain Capabilities and steal certificate materials directly from a compromised third-party, including from CAs.[3][4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[3]

Detection efforts may be focused on related behaviors, such as Web Protocols, Asymmetric Cryptography, and/or Install Root Certificate.

References

Attachments

ID
VT0007.002
Sub-techniques
Tactic
Resource Development
Platforms
PRE
Data Sources
SSL/TLS certificates
Version
1.0

Created: 20 December 2020

Last Modified: 27 December 2020