Obtain Capabilities: Digital Certificates

ID Name
VT0009.001 Code Signing Certificates
VT0009.002 Digital Certificates

Before compromising a victim, adversaries may buy or steal SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.

An SSL/TLS certificate is most reliable when issued by a trusted Certificate Authority (CA). When a CA signs the certificate or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party using the corresponding private key.[1]

Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: Web Protocols) or enabling Man-in-the-Middle if the certificate is trusted or otherwise added to the root of trust (i.e. Install Root Certificate).

The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from CAs.[2][3]

Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.[3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[4] Some server-side components of adversary tools may have default values set for SSL/TLS certificates.[5]

Detection efforts may be focused on related behaviors, such as Web Protocols, Asymmetric Cryptography, and/or Install Root Certificate.

References

Attachments

ID
VT0009.002
Sub-techniques
Tactic
Resource Development
Platforms
PRE
Data Sources
SSL/TLS certificates
Version
1.0

Created: 20 December 2020

Last Modified: 20 December 2020