Data Encrypted via OpenSSL Utility
Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.
Rule type: eql
Rule indices:
- endgame-*
- logs-crowdstrike.fdr*
- logs-endpoint.events.process-*
- logs-sentinel_one_cloud_funnel.*
- auditbeat-*
- logs-auditd_manager.auditd-*
- logs-system.security*
- logs-windows.forwarded*
- logs-windows.sysmon_operational-*
- winlogbeat-*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- OS: Windows
- OS: macOS
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Tactic: Collection
- Data Source: Elastic Defend
- Data Source: Elastic Endgame
- Data Source: Crowdstrike
- Data Source: SentinelOne
- Data Source: Auditd Manager
- Data Source: Windows Security Event Logs
- Data Source: Sysmon
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
process where event.type == "start" and event.action in ("start", "exec", "executed", "exec_event", "ProcessRollup2") and
process.name : "openssl*" and process.args : "enc" and process.args : "-in" and process.args : "-out"
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Obfuscated Files or Information
- Id: T1027
- Reference URL: https://attack.mitre.org/techniques/T1027/
Sub Technique:
- Name: Encrypted/Encoded File
- Id: T1027.013
- Reference URL: https://attack.mitre.org/techniques/T1027/013/
Framework: MITRE ATT&CK
Tactic:
- Name: Collection
- Id: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Data Staged
- Id: T1074
- Reference URL: https://attack.mitre.org/techniques/T1074/
Sub Technique:
- Name: Local Data Staging
- Id: T1074.001
- Reference URL: https://attack.mitre.org/techniques/T1074/001/