Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection

At Hunt.io, we're always looking for ways to sharpen our threat hunting tools. Our latest update enhances SSL certificate analysis, making it easier to spot anomalies and potential threats. Here's what's new and why it matters.

Why We Upgraded Our SSL Parsing

Originally, we used Golang's built-in SSL parser to analyze certificates. But while investigating why PupyRAT-a well-known remote access trojan-was slipping through our data, we realized our SSL parsing had some blind spots. PupyRAT uses invalid certificate structures, and our old method wasn't catching them.

To improve SSL certificate parsing, we adopted Google's Certificate Transparency Golang library. addressing issues identified during PupyRAT analysis. This change improves the detection of certificate anomalies, ensuring better accuracy in threat hunting.

New SSL Flags for Smarter Threat Hunting

To give you more control and precision when analyzing SSL/TLS data, we've added a set of new flags to our HuntSQL™ tooling. These flags help pinpoint misconfigurations, expired certificates, and other security risks.

Here's a quick rundown of what's now available:

• flags.unknown_authority - Flag when the certificate chain is signed by an unknown authority (not in a trust store).

• flags.not_authorized_to_sign - Flag when certificate is not authorized to sign (missing/invalid CA capability).

• flags.missing_serverauth - Flag when ExtKeyUsageServerAuth (or ExtKeyUsageAny) is missing - required by modern TLS clients.

• flags.rsa_ephemeral_needs_sig - Flag when cipher requires KeyUsageDigitalSignature (ephemeral RSA handshake).

• flags.name_constraints_without_sans - Flag when issuer has name constraints but leaf is missing a SAN extension.

• flags.ca_not_authorized_for_this_name - Flag when a root/intermediate is not authorized to sign for this name.

• flags.insecure_cipher - Flag when the certificate uses an insecure cryptographic cipher.

• flags.expired - Flag when certificate has expired or is not yet valid.

• flags.malformed - Flag when the certificate is malformed.

• flags.tls13_needs_sig - Flag when TLS 1.3 cipher requires KeyUsageDigitalSignature (ephemeral handshake).

• flags.incompatible_usage - Detects certificates with incorrect usage attributes.

• flags.ecdsa_ephemeral_needs_sig - Flag when cipher requires KeyUsageDigitalSignature (ephemeral ECDSA handshake).

• flags.rsa_key_exchange_needs_enc - Flag when cipher requires KeyUsageKeyEncipherment (legacy RSA key exchange).

• flags.too_many_intermediates - Flag when too many intermediates exist for the path length constraint.

• flags.malformed_reason - Flag when the certificate has a malformed reason string.

• flags.verification_failed - Flag when X.509 certificate verification fails.

Use Cases: Hunting Malware Families with SSL Flags

PupyRAT: Malformed Certificates Lead to C2 Infrastructure

As noted earlier, our adoption of Google's Certificate Transparency Golang library significantly improved our detection capabilities as it pertains to anomalous/malformed SSL certificates. When re-examining PupyRAT infrastructure with this enhanced visibility, we identified a recurring certificate parsing error:

X509: invalid version

This warning message indicates that the X.509 version field-used to define the certificate format is set incorrectly. Standard certificates specify v1, v2, or v3, with the latter being the most widely used today. Failing this check suggests:

• A misconfigured or improperly generated certificate, possibly from a non-standard cryptographic library.

• A deliberate attempt to evade detection by using an invalid structure.

These errors are not common in everyday web browsing or dealing with well-managed certificates from reputable Certificate Authorities (CA), which makes them a useful pivot point.

Tracking PupyRAT with flags.malformed_reason

Before looking at specific certificates associated with PupyRAT infrastructure, we queried for instances with flags.malformed_reason returned True in HuntSQL™. Our search returned 1,802 results, a large number of servers, but not overwhelming.

To refine our query and cut through the noise, we'll look for the following:

• Certificates where the Subject Organizational Unit is "CONTROL."

• Include a query for the Subject Organization field containing a random string of 10 characters.

After applying the above, we reduced the dataset to just 32 servers we assess our likely PupyRAT C2s.

Filtering for flags.malformed_reason initially returned 1,802 results, but by excluding trusted issuers and refining by subject common name, we reduced it to 32 likely PupyRAT C2 servers. The x509: invalid version error should not often be seen in networks, making it a reliable detection pivot that helps defenders track PupyRAT servers even as operators rotate IPs and domains.

AsyncRAT: Abusing Ephemeral RSA Handshakes

AsyncRAT is a widely used remote access trojan that encrypts its command-and-control (C2) traffic over TLS. However, when analyzing its infrastructure, we consistently observed missing digital signatures in ephemeral RSA handshakes-a misconfiguration that weakens the integrity of the encryption process.

This triggers flags.rsa_ephemeral_needs_sig, which detects cases where a cipher suite requires KeyUsageDigitalSignature, but the certificate fails to include it. Properly implemented TLS ensures that ephemeral key exchanges are signed to prevent man-in-the-middle (MITM) attacks. The absence of this signature suggests:

• A non-standard cryptographic implementation, possibly reused across multiple AsyncRAT deployments.

• Misconfigured or outdated TLS libraries, making these C2s easier to track.

Tracking AsyncRAT with flags.rsa_ephemeral_needs_sig

Searching for this flag alone returned 9,782,211 results, an unworkable dataset that is also a bit worrisome in the large number of servers missing a digital signature.

To achieve a dataset that is easier to analyze, we filtered for:

• subject.common_name = "AsyncRAT Server"

• issuer.common_name = "AsyncRAT Server

This reduced the results found in HuntSQL™ to a much more manageable 128 unique IP addresses.

This misconfiguration appears in nearly 10 million TLS implementations across the internet, but when filtering for known certificate attributes tied to AsyncRAT infrastructure, it becomes a far stronger indicator of C2 activity.

Coyote Banking Trojan: Exploiting SSL Certificate Trust

Coyote is a multi-stage banking trojan targeting financial institutions in Brazil. It uses the Squirrel installer for distribution and is written in Nim, a not so common language choice for malicious operations. To secure communication with its command-and-control (C2) server, Coyote relies on SSL mutual authentication, where a connection is only established if the client and server validate each other's identity during the handshake process.

Tracking Coyote with flags.unknown_authority

A recent campaign revealed on X/Twitter identified Coyote servers using the common name "EASport Games", likely an attempt to blend in with legitimate traffic. Our research found that these servers triggered flags.unknown_authority, indicating they were signed by an untrusted certificate authority.

An initial search for this flag returned 33,854,371 results.

To filter out the noise we will look for:

• Certificates using the above-mentioned subject common name "EASport Games."

Applying this certificate field reduced the number of servers to just 3-a strong indicator that our query is detecting infrastructure associated with this current campaign.

Identifying SSL certificates signed by unknown authorities is a starting point for detecting malware families like Coyote, but alone, it produces too much noise. By applying targeted filters-such as issuer anomalies and suspicious common names-defenders can isolate clusters of infrastructure and uncover possible attacker-controlled IPs.

How This Helps You Hunt Threats More Effectively

With these new flags, you can:

• Spot malicious infrastructure faster by identifying SSL/TLS misconfigurations commonly seen in attacker operations.

• Enhance certificate-based threat hunting with granular filtering on certificate authenticity and integrity.

• Cut down on noise by isolating improperly signed, expired, or misused certificates.

Want to test these updates for yourself? Log into our platform and start exploring the new SSL hunting filters today. If you don't have an account yet, book a demo to see how HuntSQL™ can enhance your threat hunting workflow!