
Summary
Identifies completed outbound TLS handshakes where deprecated cryptographic parameters are negotiated. Specifically, the rule flags TLS sessions that negotiate SSLv3, TLS 1.0, or TLS 1.1, or use weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous key exchange (ADH/AECDH). These conditions are commonly associated with man-in-the-middle (MITM) activity, legacy malware, or misconfigured clients forcing weak negotiations to enable traffic interception or decryption. The detection relies on TLS metadata from the network_traffic integration (tls.version, tls.version_protocol, tls.cipher, tls.established) and matches outbound sessions from private source ranges to external destinations while excluding internal destinations. When triggered, it indicates potential downgrade or weak-cryptography negotiation and supports triage activities such as validating the destination, inspecting host-level context, and assessing client/server TLS configurations to enforce stronger security (TLS 1.2+/1.3 and robust ciphers). A remediation path includes blocking/proxying such destinations and hardening egress controls to prevent weak negotiations.
Categories
- Network
Data Sources
- Network Traffic
ATT&CK Techniques
- T1557
- T1573
Created: 2026-06-25