Suspicious Data Encryption via OpenSSL Utility
Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/26"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/26"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window.
13Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data
14and may attempt to hold the organization's data to ransom for the purposes of extortion.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious Data Encryption via OpenSSL Utility"
21references = [
22 "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
23 "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html",
24]
25risk_score = 47
26rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
29type = "eql"
30query = '''
31sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
32 [ process where host.os.type == "linux" and event.action == "exec" and
33 process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and
34 process.args == "-in" and process.args == "-out" and
35 process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and
36 /* excluding base64 encoding options and including encryption password or key params */
37 not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44name = "Impact"
45id = "TA0040"
46reference = "https://attack.mitre.org/tactics/TA0040/"
47
48[[rule.threat.technique]]
49name = "Data Encrypted for Impact"
50id = "T1486"
51reference = "https://attack.mitre.org/techniques/T1486/"
References
-
This blogpost reveals many details about the Diskcoder.C (aka ExPetr or NotPetya) outbreak and related information about previously unpublished attacks.
Read More -
We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script.
Read More
Related rules
- High Number of Process Terminations
- Hosts File Modified
- Potential Linux Ransomware Note Creation Detected
- Suspicious File Changes Activity Detected
- Suspicious Termination of ESXI Process