Detect malware communication using SSL inspection
Ssl Inspection For Malware Cnc
Query
let IssuerContent = dynamic([@"Major Cobalt Strike", @"Laplas.app", @"Pwn3rs", @"operators"]);
let SubjectContent = dynamic([@"AsyncRAT Server", @"Major Cobalt Strike", @"Quasar Server CA", @"Laplas.app", @"Mythic", @"DcRat", @"VenomRAT", @"BitRAT", @"desas.digital", @"multiplayer" ]);
let Timeframe = 1d; // Choose the best timeframe for your investigation
DeviceNetworkEvents
| where Timestamp > ago(Timeframe)
| where ActionType == "SslConnectionInspected"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend issuer = tostring(AdditionalFields.issuer), subject = tostring(AdditionalFields.subject), direction = tostring(AdditionalFields.direction)
| where direction == "Out" and not(ipv4_is_private(RemoteIP))
// Define issuer and subject parameters
| where issuer has_any (IssuerContent) or subject has_any (SubjectContent)
| sort by Timestamp descAbout this query
Explanation
This query is designed to detect potential malware communication by inspecting SSL connections in network traffic. It specifically looks for signs of known malware such as AsyncRAT, Cobalt Strike, and others by examining SSL certificates used in these communications. Here's a simple breakdown of what the query does:
-
Define Keywords: It sets up lists of keywords related to known malware for both the issuer and subject fields of SSL certificates.
-
Set Timeframe: The query looks at network events from the past day (1d).
-
Filter Network Events: It filters network events to only include those where SSL connections were inspected.
-
Extract Certificate Details: It extracts the issuer and subject details from the SSL certificates.
-
Filter for Outgoing Connections: It focuses on outgoing connections to external IP addresses (not private IPs).
-
Match Against Known Malware: It checks if the issuer or subject of the SSL certificate matches any of the known malware-related keywords.
-
Sort Results: Finally, it sorts the results by the timestamp in descending order, showing the most recent events first.
This query helps security teams identify suspicious network activity that might indicate malware communication, allowing them to investigate further.
Details

Michalis Michalos
Released: January 3, 2024
Tables
Keywords
Operators