Query Details
Free SSL
Query
Tags:
Query:
DeviceNetworkEvents
| where RemoteUrl has_any ("letsencrypt.org", "sslforfree.com", "zerossl.com", "freessl.org")
| where InitiatingProcessFolderPath !startswith @"c:\program files" | where InitiatingProcessParentFileName != @"SenseIR.exe" and InitiatingProcessVersionInfoProductName != @"Windows ACME Simple (WACS)"
References:
Explanation
This KQL (Kusto Query Language) query is designed to filter network events on devices to identify potentially suspicious activity related to certain SSL certificate providers. Here's a simple summary:
- Data Source: The query looks at
DeviceNetworkEvents, which contains information about network activities on devices. - Filter by URL: It checks if the
RemoteUrl(the URL the device is connecting to) contains any of the following domains:letsencrypt.org,sslforfree.com,zerossl.com, orfreessl.org. - Exclude Certain Processes:
- It excludes events where the initiating process (the process that started the network connection) is located in the
c:\program filesdirectory. - It also excludes events where the parent process of the initiating process is
SenseIR.exe. - Additionally, it excludes events where the product name of the initiating process is
Windows ACME Simple (WACS).
- It excludes events where the initiating process (the process that started the network connection) is located in the
In essence, this query is looking for network connections to specific SSL certificate-related domains, but it filters out connections initiated by known legitimate processes and locations to focus on potentially suspicious activities.
Details
Ali Hussein
Released: September 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
DeviceNetworkEventswherehas_any!startswithand!=