{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/encrypted-channel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MicrosoftEdge"],"_cs_severities":["low"],"_cs_tags":["command-and-control","encrypted-channel","freessl"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies Windows processes communicating with domains using free SSL certificates from providers like Let\u0026rsquo;s Encrypt, SSLforFree, ZeroSSL, and FreeSSL. Attackers can leverage these certificates to encrypt command and control (C2) communications, blending malicious traffic with legitimate encrypted web traffic. The rule focuses on detecting unusual processes, specifically those originating from standard Windows system paths that would not typically establish connections to services using free SSL certificates. This excludes known benign processes to reduce false positives and highlight potentially malicious C2 activity. This rule was published on 2020/11/04 and last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious agent on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe agent is configured to use a domain that utilizes a free SSL certificate for C2 communication.\u003c/li\u003e\n\u003cli\u003eThe malicious agent establishes a DNS connection to a domain ending in *.letsencrypt.org, *.sslforfree.com, *.zerossl.com, or *.freessl.org.\u003c/li\u003e\n\u003cli\u003eThe infected host bypasses host-based firewalls, as the traffic is encrypted.\u003c/li\u003e\n\u003cli\u003eThe agent receives commands from the C2 server over the encrypted channel.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to undetected command and control activity within the network. Attackers could use this encrypted channel to exfiltrate sensitive data, deploy ransomware, or move laterally to other systems. Due to the use of free SSL certificates, the traffic appears legitimate and can bypass basic network security controls. While the rule severity is low, a successful C2 channel can lead to critical impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potentially malicious processes using free SSL certificates for communication, tuning the false positives for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes not typically associated with network activity originating from the defined Windows system paths.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for connections to domains using free SSL certificates from unusual or untrusted processes.\u003c/li\u003e\n\u003cli\u003eUpdate the Sigma rule with new free SSL certificate providers and adjust the excluded processes based on observed false positives in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging for better visibility into DNS requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-freesslcert-c2/","summary":"This rule identifies unusual Windows processes connecting to domains using known free SSL certificates such as Let's Encrypt, which adversaries may use to conceal command and control traffic.","title":"Unusual Windows Processes Connecting to Domains Using Free SSL Certificates","url":"https://feed.craftedsignal.io/briefs/2024-01-freesslcert-c2/"}],"language":"en","title":"CraftedSignal Threat Feed — Encrypted-Channel","version":"https://jsonfeed.org/version/1.1"}