Blue/Red Team question: does anyone have an observed example of an someone using x509 certs as part of their offensive tactics, beyond data encryption that is?

I’m putting together a talk on x509 certs and want to cover some historic examples of offensive usages in either red team or bad actor operations.

Please boost for distribution if possible