Skip to content

TLS Certificate

Overview

  • Definition

    An SSL/TLS certificate allows systems to verify the identity of another system and establish an encrypted network connection between them using the SSL/TLS protocol. Certificates are often represented using a SHA1 or SHA256 fingerprint.

  • Usecase

    Threat actors use these certificates much like in the legitimate usecase, such as to enable encrypted TLS communication between infected clients and C&C servers.

  • Features

    The certificate used by gopivoting.org as of 2024-06-04 contains the following pivotable data:

    Serial Number:
        04:23:7a:e2:8d:c6:17:e3:78:6e:dd:e6:0a:42:24:40:1c:1e
    Issuer: (CA ID: 183267)
        commonName                = R3
        organizationName          = Let's Encrypt
        countryName               = US
    Validity
        Not Before: May 20 05:50:30 2024 GMT
        Not After : Aug 18 05:50:29 2024 GMT
    Subject:
        commonName                = gopivot.ing
    

  • Pivot Map
    flowchart LR
        classDef primary stroke-width: 2px
        classDef secondary stroke-dasharray: 5 5
    
        %% define nodes
        DOMAIN(Domain)
        SERVER([Server])
        IP_ADDRESS(IP Address)
        TLS_CERT(TLS Certificate):::primary
        TLS_CERT_(TLS Certificate):::secondary
    
        %% define edges
        TLS_CERT -- served by ---> SERVER
        SERVER -. hosted by ..-> IP_ADDRESS
        TLS_CERT -- CN ---> DOMAIN
        TLS_CERT <-- CN ---> TLS_CERT_
        TLS_CERT <-- subject ---> TLS_CERT_
        TLS_CERT <-- CA ---> TLS_CERT_
        TLS_CERT <-- time --> TLS_CERT_
    
        %% define links
        click DOMAIN "#domains"
        click SERVER "#servers"
        click TLS_CERT_ "#tls-certificates"
    

Pivots

Servers

Servers serving it

Threat actors use TLS certificates to enable encrypted TLS communication between attacker-controlled servers, as well as between infected clients and attacker-controlled servers (such as for encrypting communication between malware and its C&C server). If a threat actor deploys multiple servers as part of the same campaign, they might use the same certificate across a subset of their fleet, or use several certificates with partially overlapping details.

Given a certificate, analysts can query host scanning services such as Shodan and Censys for the certificate itself (by its hash) or for any of its individual details (such as serial number or common name) to identify potentially related servers.

Example

The default configuration of Cobalt Strike servers is to use a specific self-signed TLS certificate (SHA-1 6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C). Some threat actors make the mistake of using this default certificate, which can be leveraged for identification.1

Try it out
https://www.shodan.io/search?query=ssl.cert.serial%3A{SERIAL_NUMBER}
https://www.shodan.io/search?query=ssl.cert.subject.cn%3A{COMMON_NAME}
https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.fingerprint%3A+{SHA256_HASH}
https://search.censys.io/search?resource=certificates&q=parsed.serial_number%3A+{SERIAL_NUMBER}
https://search.censys.io/search?resource=hosts&q=services.tls.certificate.parsed.subject.common_name%3A{COMMON_NAME}

Domains

Domains matching its CN

TLS certificates contain many fields denoting registrant information, registar information, and various "names" indicating which domain or subdomains the certificate applies to. Further pivoting on the domain listed in the common name field (CN) can lead to other certificates listing the same one or similar ones.

Example

Embee Research analyzed certificate data related to a domain associated with MatanBuchus in order to surface additional domains using certificates with the same subdomains, certificate authority, and registration period.2

TLS Certificates

Certificates with same CN

Threat actors may register more than one certificate with the same common name (CN), and use each certificate on a different server, even if the domain name resolving to a server does not match the common name of the certificate.

Given a certificate, analysts can query certificate databases for its CN to identify potentially related certificates.

Example

ThreatConnect identified an IP address associated with APT28 serving a certificate that listed the common name ecitcom[.]net. Pivoting on this name led to several other servers using certificates with the same CN, that resolved domains with completely different names.3

Try it out
https://crt.sh/?CN={COMMON_NAME}

Certificates with similar subject details

Threat actors may reuse certain subject details when registering more than one certificate. If these details are relatively unique (on their own or in combination), analysts can pivot on them to discover additional potentially related certificates.

Given a certificate, analysts can query certificate databases for any of its subject details (individually or in combination) to identify potentially related certificates.

Certificates registered with same CA

Threat actors may register multiple certificates using the same certificate authority (CA), which is listed in the issuer organization field. If the CA itself is uncommon, or if a combination of CA and other factors is relatively unique, analysts can leverage this commonality to identify additional certificates registered by the same actor.

Given a certificate, analysts can query certificate databases for the CA (or the CA in combination with other fields) to identify potentially related certificates.

Try it out
https://crt.sh/?CAName={CA_NAME}
https://search.censys.io/search?resource=certificates&q=parsed.issuer.common_name%3A{CA_NAME}

Certificates registered in the same timeframe

Threat actors may register many TLS certificates throughout their period of activity, or for the purpose of a particular operation or campaign. In order to maintain OPSEC, threat actors may register every certificate at a different time and at irregular intervals. However, less savvy threat actors could very well register many of their certificates around the same time, a mistake which analysts can leverage along with other parameters in order to identify additional potentially related certificates.

Example

ThreatConnect determined that most certificates suspected to be in use by APT28 as of March 2018 were registered during working hours of Moscow's time zone. While this wasn't unique enough for pivoting to unknown certificates, it did serve to increase their confidence in their attribution of related activity to this threat actor.3