Find sigma rule

Attack: Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

MITRE

Tactic

command-and-control

technique

T1573

Test : OpenSSL C2

OS

windows

Description:

Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926

Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.

Executor

powershell

Sigma Rule

posh_ps_test_netconnection.yml (id: adf876b3-f1f8-4aa9-a4e4-a64106feec06)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test