IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Data Encryption via OpenSSL Utilityedit
Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target’s data and may attempt to hold the organization’s data to ransom for the purposes of extortion.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Impact
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
[ process where host.os.type == "linux" and event.action == "exec" and
process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and
process.args == "-in" and process.args == "-out" and
process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and
/* excluding base64 encoding options and including encryption password or key params */
not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Data Encrypted for Impact
- ID: T1486
- Reference URL: https://attack.mitre.org/techniques/T1486/