Detects the execution of the OpenSSL utility used to encrypt data, a tactic commonly employed by adversaries to disrupt availability and monetize data through extortion. The rule triggers on process start events where the process name matches openssl and the command line contains enc along with -in and -out, indicating a potential file encryption operation. This aligns with MITRE ATT&CK techniques T1027 (Encrypted/Encoded Files) with subtechnique T1027.013, and T1074.001 (Data Staged: Local Data Staging) under Defense Evasion and Collection. The rule is cross-platform and targets endpoints across Windows, Linux, and macOS, drawing data from a set of EDR and log sources that monitor process creation. It is categorized with a low risk score (21) and low severity, intended to alert on suspicious usage of OpenSSL that could precede ransomware-like activity. The EQL pattern checks for: process.start events where process.name matches openssl, and process.args contains enc, -in, and -out. While legitimate cryptographic workflows may exist, this pattern is a strong indicator when observed outside of known maintenance windows or in unusual contexts. Recommended follow-up includes host isolation, memory/disk evidence collection, correlation with file modification events, and validation of legitimate cryptographic operations to determine whether this activity represents authorized use or a malicious encryption attempt.