heroui logo

Suspicious SSL Connection

Sigma Rules

View Source
Summary
The 'Suspicious SSL Connection' detection rule aims to identify potential command and control (C2) traffic that utilizes known encryption protocols to obfuscate malicious communications. The focus of the rule is on the usage of PowerShell scripts that employ the 'System.Net.Security.SslStream' class, which is commonly used to create secure SSL connections. Specifically, the rule looks for instances where the script is performing actions related to SSL authentication, particularly involving remote certificate validation and client authentication. This behavior is indicative of scripts that may be attempting to establish covert channels for communication with remote adversaries, bypassing traditional security measures. The rule is triggered when specific keywords related to SSL functionality are detected in PowerShell script blocks. As a mitigation strategy, organizations should monitor for legitimate administrative scripts that might trigger false positives, as well as ensure that script block logging is enabled in the Windows environment to capture all relevant actions.
Categories
  • Endpoint
  • Windows
Data Sources
  • Script
ATT&CK Techniques
  • T1573
Created: 2022-01-23