Suspicious Data Encryption via OpenSSL Utility

Last updated 7 months ago on 2025-02-04

Created 2 years ago on 2023-06-26

About

Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ImpactData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Data Encrypted for Impact (T1486)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
  [ process where host.os.type == "linux" and event.action == "exec" and
    process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and
    process.args == "-in" and process.args == "-out" and
    process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and
    /* excluding base64 encoding options and including encryption password or key params */
    not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10

Install detection rules in Elastic Security

Detect Suspicious Data Encryption via OpenSSL Utility in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).