Find sigma rule
Attack: Encrypted Channel
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
MITRE
Tactic
- command-and-control
technique
- T1573
Test : OpenSSL C2
OS
- windows
Description:
Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
Executor
powershell
Sigma Rule
- posh_ps_test_netconnection.yml (id: adf876b3-f1f8-4aa9-a4e4-a64106feec06)