Elastic Security Detection Rules

Suspicious Data Encryption via OpenSSL Utility

Last updated 2 months ago on 2025-12-19
Created 3 years ago on 2023-06-26

About

Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ImpactData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

Data Encrypted for Impact (T1486)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
  [ process where host.os.type == "linux" and event.action == "exec" and
    process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and
    process.args == "-in" and process.args == "-out" and
    process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and
    /* excluding base64 encoding options and including encryption password or key params */
    not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") and
    not (process.parent.command_line == "bash -s" and process.args like "/root/recipes/recipes*")
  ] with runs=10

Install detection rules in Elastic Security

Detect Suspicious Data Encryption via OpenSSL Utility in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).