Query Details
Free SSL Providers
Query
Tags:
Query:
DeviceNetworkEvents
| where RemoteUrl has_any ("letsencrypt.org", "sslforfree.com", "zerossl.com", "freessl.org")
| where InitiatingProcessFolderPath !startswith @"c:\program files" | where InitiatingProcessParentFileName != @"SenseIR.exe" and InitiatingProcessVersionInfoProductName != @"Windows ACME Simple (WACS)" and InitiatingProcessVersionInfoCompanyName != @"Wouter Tinus and many others"
References:
Explanation
This query is designed to filter and identify suspicious network events related to certain SSL certificate providers. Here's a simple summary:
- Data Source: The query looks at
DeviceNetworkEvents, which logs network activities on devices. - Filter by URL: It checks if the
RemoteUrl(the URL accessed) contains any of the following domains: "letsencrypt.org", "sslforfree.com", "zerossl.com", or "freessl.org". - Exclude Certain Processes:
- It excludes events where the initiating process is located in the "c:\program files" directory.
- It also excludes events where the initiating process's parent file name is "SenseIR.exe".
- Additionally, it excludes processes with the product name "Windows ACME Simple (WACS)" or the company name "Wouter Tinus and many others".
In essence, this query aims to find network events involving specific SSL certificate providers, but only if they are initiated by processes that are not typically associated with legitimate SSL certificate operations.
Details
Ali Hussein
Released: September 30, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
DeviceNetworkEvents|wherehas_any!startswithand!=