« Potential Credential Discovery via Recursive Grep Suspicious Python Shell Command Execution »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.19

Data Encrypted via OpenSSL Utility

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Data Encrypted via OpenSSL Utility

edit

Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to disrupt the availability of their target’s data and may attempt to hold the organization’s data to ransom for the purposes of extortion.

Rule type: eql

Rule indices:

  • endgame-*
  • logs-crowdstrike.fdr*
  • logs-endpoint.events.process-*
  • logs-sentinel_one_cloud_funnel.*
  • auditbeat-*
  • logs-auditd_manager.auditd-*
  • logs-system.security*
  • logs-windows.forwarded*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • OS: Windows
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Tactic: Collection
  • Data Source: Elastic Defend
  • Data Source: Elastic Endgame
  • Data Source: Crowdstrike
  • Data Source: SentinelOne
  • Data Source: Auditd Manager
  • Data Source: Windows Security Event Logs
  • Data Source: Sysmon

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where event.type == "start" and event.action in ("start", "exec", "executed", "exec_event", "ProcessRollup2") and
process.name : "openssl*" and process.args : "enc" and process.args : "-in" and process.args : "-out"

Framework: MITRE ATT&CKTM

« Potential Credential Discovery via Recursive Grep Suspicious Python Shell Command Execution »