UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
Sigma rule (View on GitHub)
1title: UNC4841 - SSL Certificate Exfiltration Via Openssl
2id: 60911c07-f989-4362-84af-c609828ef829
3status: test
4description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
5references:
6 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/06/16
9tags:
10 - attack.defense_evasion
11 - attack.t1140
12 - detection.emerging_threats
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/openssl'
19 CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 CommandLine|contains|all:
21 - 's_client'
22 - '-quiet'
23 - '-connect'
24 CommandLine|contains:
25 - ':443'
26 - ':8080'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...
Read More
Related rules
- UNC4841 - Download Compressed Files From Temp.sh Using Wget
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
- Potential BlackByte Ransomware Activity
- Linux Base64 Encoded Pipe to Shell
- UNC4841 - Barracuda ESG Exploitation Indicators