Connection to Commonly Abused Free SSL Certificate Providers
Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/04"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known
13encryption algorithm to conceal command and control traffic.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Connection to Commonly Abused Free SSL Certificate Providers"
20risk_score = 21
21rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "low"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Command and Control",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38 "Resources: Investigation Guide",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44network where host.os.type == "windows" and network.protocol == "dns" and
45 /* Add new free SSL certificate provider domains here */
46 dns.question.name : ("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com", "*.freessl.org") and
47
48 /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */
49 process.executable : ("C:\\Windows\\System32\\*.exe",
50 "C:\\Windows\\System\\*.exe",
51 "C:\\Windows\\SysWOW64\\*.exe",
52 "C:\\Windows\\Microsoft.NET\\Framework*\\*.exe",
53 "C:\\Windows\\explorer.exe",
54 "C:\\Windows\\notepad.exe") and
55
56 /* Insert noisy false positives here */
57 not process.name : ("svchost.exe", "MicrosoftEdge*.exe", "msedge.exe")
58'''
59note = """## Triage and analysis
60
61> **Disclaimer**:
62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
63
64### Investigating Connection to Commonly Abused Free SSL Certificate Providers
65
66Free SSL certificates, like those from Let's Encrypt, enable secure web traffic encryption. Adversaries exploit these to mask malicious command and control (C2) communications. The detection rule identifies unusual Windows processes accessing domains with such certificates, excluding common false positives, to flag potential misuse of encrypted channels for C2 activities.
67
68### Possible investigation steps
69
70- Review the process executable path to confirm if it is a native Windows process and assess the legitimacy of its network activity. Focus on paths like "C:\\Windows\\System32\\*.exe" and "C:\\Windows\\SysWOW64\\*.exe".
71- Investigate the specific domain accessed by the process, such as those ending in "*.letsencrypt.org" or "*.sslforfree.com", to determine if it is associated with known malicious activity or if it is a legitimate service.
72- Check the process name against the list of excluded false positives, ensuring it is not "svchost.exe", "MicrosoftEdge*.exe", or "msedge.exe", which are common and typically benign.
73- Analyze the network traffic associated with the process to identify any unusual patterns or anomalies that could indicate command and control activity.
74- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities.
75
76### False positive analysis
77
78- Windows system processes like svchost.exe and MicrosoftEdge.exe are common false positives due to their legitimate network activities. These can be excluded from the detection rule to reduce noise.
79- Regularly update the list of excluded processes to include any new system processes that are verified to have legitimate reasons for accessing domains with free SSL certificates.
80- Monitor and analyze network traffic patterns to identify any additional processes that consistently generate false positives, and consider adding them to the exclusion list if they are deemed non-threatening.
81- Use process whitelisting to allow known safe applications that frequently access these domains, ensuring they do not trigger alerts unnecessarily.
82- Implement a review process to periodically reassess the exclusion list, ensuring it remains relevant and does not inadvertently allow malicious activities to go undetected.
83
84### Response and remediation
85
86- Isolate the affected system from the network to prevent further malicious communication and potential lateral movement.
87- Terminate any suspicious processes identified in the alert that are not typically associated with network activity, such as those running from unusual paths or with unexpected network connections.
88- Conduct a thorough review of the system's recent activity logs to identify any unauthorized changes or additional indicators of compromise.
89- Remove any malicious files or executables found on the system, ensuring that all remnants of the threat are eradicated.
90- Restore the system from a known good backup if any critical system files or configurations have been altered.
91- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
92- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
93
94
95[[rule.threat]]
96framework = "MITRE ATT&CK"
97[[rule.threat.technique]]
98id = "T1573"
99name = "Encrypted Channel"
100reference = "https://attack.mitre.org/techniques/T1573/"
101
102
103[rule.threat.tactic]
104id = "TA0011"
105name = "Command and Control"
106reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Connection to Commonly Abused Free SSL Certificate Providers
Free SSL certificates, like those from Let's Encrypt, enable secure web traffic encryption. Adversaries exploit these to mask malicious command and control (C2) communications. The detection rule identifies unusual Windows processes accessing domains with such certificates, excluding common false positives, to flag potential misuse of encrypted channels for C2 activities.
Possible investigation steps
- Review the process executable path to confirm if it is a native Windows process and assess the legitimacy of its network activity. Focus on paths like "C:\Windows\System32*.exe" and "C:\Windows\SysWOW64*.exe".
- Investigate the specific domain accessed by the process, such as those ending in ".letsencrypt.org" or ".sslforfree.com", to determine if it is associated with known malicious activity or if it is a legitimate service.
- Check the process name against the list of excluded false positives, ensuring it is not "svchost.exe", "MicrosoftEdge*.exe", or "msedge.exe", which are common and typically benign.
- Analyze the network traffic associated with the process to identify any unusual patterns or anomalies that could indicate command and control activity.
- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities.
False positive analysis
- Windows system processes like svchost.exe and MicrosoftEdge.exe are common false positives due to their legitimate network activities. These can be excluded from the detection rule to reduce noise.
- Regularly update the list of excluded processes to include any new system processes that are verified to have legitimate reasons for accessing domains with free SSL certificates.
- Monitor and analyze network traffic patterns to identify any additional processes that consistently generate false positives, and consider adding them to the exclusion list if they are deemed non-threatening.
- Use process whitelisting to allow known safe applications that frequently access these domains, ensuring they do not trigger alerts unnecessarily.
- Implement a review process to periodically reassess the exclusion list, ensuring it remains relevant and does not inadvertently allow malicious activities to go undetected.
Response and remediation
- Isolate the affected system from the network to prevent further malicious communication and potential lateral movement.
- Terminate any suspicious processes identified in the alert that are not typically associated with network activity, such as those running from unusual paths or with unexpected network connections.
- Conduct a thorough review of the system's recent activity logs to identify any unauthorized changes or additional indicators of compromise.
- Remove any malicious files or executables found on the system, ensuring that all remnants of the threat are eradicated.
- Restore the system from a known good backup if any critical system files or configurations have been altered.
- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
Related rules
- Attempt to Establish VScode Remote Tunnel
- Outlook Home Page Registry Modification
- Potential File Transfer via Certreq
- Remote Desktop File Opened from Suspicious Path
- Suspicious Execution from INET Cache