Unusual Windows Processes Connecting to Domains Using Free SSL Certificates

This detection rule identifies Windows processes communicating with domains using free SSL certificates from providers like Let’s Encrypt, SSLforFree, ZeroSSL, and FreeSSL. Attackers can leverage these certificates to encrypt command and control (C2) communications, blending malicious traffic with legitimate encrypted web traffic. The rule focuses on detecting unusual processes, specifically those originating from standard Windows system paths that would not typically establish connections to services using free SSL certificates. This excludes known benign processes to reduce false positives and highlight potentially malicious C2 activity. This rule was published on 2020/11/04 and last updated on 2026/05/04.

Attack Chain

1. An attacker compromises a Windows host.
2. The attacker installs a malicious agent on the compromised host.
3. The agent is configured to use a domain that utilizes a free SSL certificate for C2 communication.
4. The malicious agent establishes a DNS connection to a domain ending in *.letsencrypt.org, *.sslforfree.com, *.zerossl.com, or *.freessl.org.
5. The infected host bypasses host-based firewalls, as the traffic is encrypted.
6. The agent receives commands from the C2 server over the encrypted channel.
7. The attacker executes commands to perform lateral movement or data exfiltration.
8. The attacker exfiltrates sensitive data from the compromised host.

Impact

Successful exploitation could lead to undetected command and control activity within the network. Attackers could use this encrypted channel to exfiltrate sensitive data, deploy ransomware, or move laterally to other systems. Due to the use of free SSL certificates, the traffic appears legitimate and can bypass basic network security controls. While the rule severity is low, a successful C2 channel can lead to critical impact.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect potentially malicious processes using free SSL certificates for communication, tuning the false positives for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on processes not typically associated with network activity originating from the defined Windows system paths.
• Monitor DNS query logs for connections to domains using free SSL certificates from unusual or untrusted processes.
• Update the Sigma rule with new free SSL certificate providers and adjust the excluded processes based on observed false positives in your environment.
• Enable Sysmon Event ID 22 (DNS Query) logging for better visibility into DNS requests.