Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Resource Development
  4. >ATTACK-T1588.004
ATTACK-T1588.004Active

Digital Certificates

Statement

Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.

Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or even enabling Adversary-in-the-Middle if the certificate is trusted or otherwise added to the root of trust (i.e. Install Root Certificate). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.

Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)

After obtaining a digital certificate, an adversary may then install that certificate (see Install Digital Certificate) on infrastructure under their control.

Location

Tactic
Resource Development

Technique Details

Identifier
ATTACK-T1588.004
Parent Technique
ATTACK-T1588
ATT&CK Page
View on MITRE

Tactics

Resource Development

Platforms

PRE

Detection

Detection of Digital Certificates

Mitigations

Pre-compromise: Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

  • Regularly audit and sanitize publicly available data, including job posts, websites, and social media.
  • Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

  • Enable DNSSEC and use WHOIS privacy protection.
  • Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

  • Use tools like Shodan, Censys to monitor your external attack surface.
  • Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

  • Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

  • Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast.
  • Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

  • Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

No cross-framework mappings available

← Back to Resource Development
Resource Development47 controls
ATTACK-T1583Acquire InfrastructureATTACK-T1583.001DomainsATTACK-T1583.002DNS ServerATTACK-T1583.003Virtual Private ServerATTACK-T1583.004ServerATTACK-T1583.005BotnetATTACK-T1583.006Web ServicesATTACK-T1583.007ServerlessATTACK-T1583.008MalvertisingATTACK-T1584Compromise InfrastructureATTACK-T1584.001DomainsATTACK-T1584.002DNS ServerATTACK-T1584.003Virtual Private ServerATTACK-T1584.004ServerATTACK-T1584.005BotnetATTACK-T1584.006Web ServicesATTACK-T1584.007ServerlessATTACK-T1584.008Network DevicesATTACK-T1585Establish AccountsATTACK-T1585.001Social Media AccountsATTACK-T1585.002Email AccountsATTACK-T1585.003Cloud AccountsATTACK-T1586Compromise AccountsATTACK-T1586.001Social Media AccountsATTACK-T1586.002Email AccountsATTACK-T1586.003Cloud AccountsATTACK-T1587Develop CapabilitiesATTACK-T1587.001MalwareATTACK-T1587.002Code Signing CertificatesATTACK-T1587.003Digital CertificatesATTACK-T1587.004ExploitsATTACK-T1588Obtain CapabilitiesATTACK-T1588.001MalwareATTACK-T1588.002ToolATTACK-T1588.003Code Signing CertificatesATTACK-T1588.004Digital CertificatesATTACK-T1588.005ExploitsATTACK-T1588.006VulnerabilitiesATTACK-T1588.007Artificial IntelligenceATTACK-T1608Stage CapabilitiesATTACK-T1608.001Upload MalwareATTACK-T1608.002Upload ToolATTACK-T1608.003Install Digital CertificateATTACK-T1608.004Drive-by TargetATTACK-T1608.005Link TargetATTACK-T1608.006SEO PoisoningATTACK-T1650Acquire Access