← Back to Explore
splunk_escuHunting
Zeek x509 Certificate with Punycode
The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the "xn--" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.
MITRE ATT&CK
Detection Query
`zeek_x509`
| rex field=san.email{} "\@(?<domain_detected>xn--.*)"
| rex field=san.other_fields{} "\@(?<domain_detected>xn--.*)"
| stats values(domain_detected)
BY basic_constraints.ca source host
| `zeek_x509_certificate_with_punycode_filter`Author
Michael Haag, Splunk
Created
2026-02-25
References
- https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117
- https://github.com/corelight/CVE-2022-3602/tree/master/scripts
- https://docs.zeek.org/en/master/logs/x509.html
- https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html
- https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
- https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName
Tags
OpenSSL CVE-2022-3602
Raw Content
name: Zeek x509 Certificate with Punycode
id: 029d6fe4-a5fe-43af-827e-c78c50e81d81
version: 6
date: '2026-02-25'
author: Michael Haag, Splunk
status: experimental
type: Hunting
description: The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the "xn--" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.
data_source: []
search: |-
`zeek_x509`
| rex field=san.email{} "\@(?<domain_detected>xn--.*)"
| rex field=san.other_fields{} "\@(?<domain_detected>xn--.*)"
| stats values(domain_detected)
BY basic_constraints.ca source host
| `zeek_x509_certificate_with_punycode_filter`
how_to_implement: The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).
known_false_positives: False positives may be present if the organization works with international businesses. Filter as needed.
references:
- https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117
- https://github.com/corelight/CVE-2022-3602/tree/master/scripts
- https://docs.zeek.org/en/master/logs/x509.html
- https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html
- https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
- https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName
tags:
analytic_story:
- OpenSSL CVE-2022-3602
asset_type: Network
mitre_attack_id:
- T1573
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network