Data Encrypted via OpenSSL Utility

calendar Mar 26, 2026 · Domain: Endpoint OS: Linux OS: Windows OS: macOS Use Case: Threat Detection Tactic: Defense Evasion Tactic: Collection Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: Crowdstrike Data Source: SentinelOne Data Source: Auditd Manager Data Source: Windows Security Event Logs Data Source: Sysmon  ·
Share on: linkedin copy

Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2026/03/26"
 3integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager", "windows", "system"]
 4maturity = "production"
 5updated_date = "2026/03/26"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to
11disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the
12purposes of extortion.
13"""
14from = "now-9m"
15index = [
16    "endgame-*",
17    "logs-crowdstrike.fdr*",
18    "logs-endpoint.events.process-*",
19    "logs-sentinel_one_cloud_funnel.*",
20    "auditbeat-*",
21    "logs-auditd_manager.auditd-*", 
22    "logs-system.security*",
23    "logs-windows.forwarded*",
24    "logs-windows.sysmon_operational-*",
25    "winlogbeat-*"
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Data Encrypted via OpenSSL Utility"
30risk_score = 21
31rule_id = "feba48f6-40ca-4d04-b41f-5dfa327de865"
32severity = "low"
33tags = [
34    "Domain: Endpoint",
35    "OS: Linux",
36    "OS: Windows",
37    "OS: macOS",
38    "Use Case: Threat Detection",
39    "Tactic: Defense Evasion",
40    "Tactic: Collection",
41    "Data Source: Elastic Defend",
42    "Data Source: Elastic Endgame",
43    "Data Source: Crowdstrike",
44    "Data Source: SentinelOne",
45    "Data Source: Auditd Manager",
46    "Data Source: Windows Security Event Logs",
47    "Data Source: Sysmon",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51query = '''
52process where event.type == "start" and event.action in ("start", "exec", "executed", "exec_event", "ProcessRollup2") and
53process.name : "openssl*" and process.args : "enc" and process.args : "-in" and process.args : "-out"
54'''
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1027"
60name = "Obfuscated Files or Information"
61reference = "https://attack.mitre.org/techniques/T1027/"
62[[rule.threat.technique.subtechnique]]
63id = "T1027.013"
64name = "Encrypted/Encoded File"
65reference = "https://attack.mitre.org/techniques/T1027/013/"
66
67
68[rule.threat.tactic]
69id = "TA0005"
70name = "Defense Evasion"
71reference = "https://attack.mitre.org/tactics/TA0005/"
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76
77  [rule.threat.tactic]
78  name = "Collection"
79  id = "TA0009"
80  reference = "https://attack.mitre.org/tactics/TA0009/"
81
82  [[rule.threat.technique]]
83  name = "Data Staged"
84  id = "T1074"
85  reference = "https://attack.mitre.org/techniques/T1074/"
86
87    [[rule.threat.technique.subtechnique]]
88    name = "Local Data Staging"
89    id = "T1074.001"
90    reference = "https://attack.mitre.org/techniques/T1074/001/"

Related rules

to-top