Description
- This alert looks for a configured SSL Cert utilizing a default 'testexample' field that is commonly found in 'poorly' configured malware.
Vector
- TLS 443
Known False Positive Indicators
- This has a known false positive trigger with Confluence networks. Confluence has a customer under them that provides web hosting services. The problem is that the hosting service provides an SSL cert that has not been properly configured and is causing the signature to falsely trip. To verify this in the alert the ASN/Org will be 'Confluence Networks' and usually correlating DNS requests to a legitimate site can be found in firewall/DNS logs.
Affected Host
Any/All (Associated Malware is generic and affected host could vary)
Classification
- Malware
Sentinel Signature
-
TROJAN Observed Suspicious SSL Cert (testexample)
DNS Calls
- Correlating DNS requests can be found in logs to assist in FP verification
Comments
0 comments
Article is closed for comments.