Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Suspicious SSL Connection

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Jan 23195626f3-5f1b-4403-93b7-e6cfd4d6a078windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains|all:
            - System.Net.Security.SslStream
            - Net.Security.RemoteCertificateValidationCallback
            - '.AuthenticateAsClient'
    condition: selection
False Positives

Legitimate administrative script

References
1
Resolving title…
github.com
2
Resolving title…
medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
195626f3-5f1b-4403-93b7-e6cfd4d6a078
Status
test
Level
low
Type
Detection
Created
Sun Jan 23
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
Raw Tags
attack.command-and-controlattack.t1573
View on GitHub