Free SSL
Query
Tags:
Query:
DeviceNetworkEvents
| where RemoteUrl has_any ("letsencrypt.org", "sslforfree.com", "zerossl.com", "freessl.org")
| where InitiatingProcessFolderPath !startswith @"c:\program files" | where InitiatingProcessParentFileName != @"SenseIR.exe" and InitiatingProcessVersionInfoProductName != @"Windows ACME Simple (WACS)"
References:Explanation
This query is searching through network event data to identify any events where a device has connected to specific websites related to SSL certificate services, such as "letsencrypt.org" or "sslforfree.com". It specifically looks for connections initiated by processes that are not located in the "c:\program files" directory, and it excludes processes that are associated with "SenseIR.exe" or have the product name "Windows ACME Simple (WACS)". Essentially, it's filtering out legitimate or expected processes to focus on potentially suspicious or unauthorized activities involving these SSL-related websites.
Details

Ali Hussein
Released: September 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteUrlInitiatingProcessFolderPathParentFileNameVersionInfoProduct
Operators
has_any!startswith!=and