Query Details

Free SSL

Query

Tags:

Query:
  DeviceNetworkEvents
    | where RemoteUrl has_any ("letsencrypt.org", "sslforfree.com", "zerossl.com", "freessl.org")
    | where InitiatingProcessFolderPath !startswith @"c:\program files" | where InitiatingProcessParentFileName != @"SenseIR.exe" and InitiatingProcessVersionInfoProductName != @"Windows ACME Simple (WACS)" 
References:

Explanation

This query is searching through network event data to identify any events where a device has connected to specific websites related to SSL certificate services, such as "letsencrypt.org" or "sslforfree.com". It specifically looks for connections initiated by processes that are not located in the "c:\program files" directory, and it excludes processes that are associated with "SenseIR.exe" or have the product name "Windows ACME Simple (WACS)". Essentially, it's filtering out legitimate or expected processes to focus on potentially suspicious or unauthorized activities involving these SSL-related websites.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 14, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteUrlInitiatingProcessFolderPathParentFileNameVersionInfoProduct

Operators

has_any!startswith!=and

Actions

GitHub