Deprecated TLS Version or Weak Cipher Negotiated Externally
Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/25"
3integration = ["network_traffic"]
4maturity = "production"
5updated_date = "2026/06/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or
11weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy
12malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS
131.2 or 1.3 with strong ciphers on internet-bound connections.
14"""
15false_positives = [
16 """
17 Legacy internal applications, industrial control systems, or embedded devices may still require deprecated TLS
18 versions or weak ciphers. Exclude known legacy destination IPs or subnets after validation.
19 """,
20]
21from = "now-9m"
22index = ["logs-network_traffic.tls-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Deprecated TLS Version or Weak Cipher Negotiated Externally"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally
32
33TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed
34outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a
35cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.
36
37### Possible investigation steps
38
39- Review `source.ip`, `destination.ip`, `destination.port`, `tls.version`, `tls.version_protocol`, and `tls.cipher`.
40- Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
41- Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
42- Compare against baseline: does this destination normally negotiate modern TLS from other clients?
43
44### False positive analysis
45
46- Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
47- Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm
48 whether the server accepted the weak option (this rule requires `tls.established:true`).
49
50### Response and remediation
51
52- Block or proxy traffic to the destination if downgrade appears attacker-driven.
53- Patch or replace the client or server that accepted deprecated TLS.
54- Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.
55"""
56references = [
57 "https://attack.mitre.org/techniques/T1557/",
58 "https://www.elastic.co/docs/reference/integrations/network_traffic",
59 "https://www.elastic.co/docs/reference/ecs/ecs-tls",
60 "https://www.rfc-editor.org/rfc/rfc9325.html",
61]
62risk_score = 47
63rule_id = "d994a184-ab93-4cff-8fb6-31a4b4dd18b1"
64setup = """## Setup
65
66This rule requires TLS metadata from the Elastic network_traffic integration (`network_traffic.tls` data stream) that
67populates ECS `tls.version`, `tls.version_protocol`, `tls.cipher`, and `tls.established` fields.
68"""
69severity = "medium"
70tags = [
71 "Domain: Network",
72 "Use Case: Network Security Monitoring",
73 "Use Case: Threat Detection",
74 "Data Source: Network Traffic",
75 "Tactic: Credential Access",
76 "Tactic: Command and Control",
77 "Resources: Investigation Guide",
78]
79timestamp_override = "event.ingested"
80type = "new_terms"
81
82query = '''
83data_stream.dataset:network_traffic.tls
84 and network.protocol: tls
85 and network.transport: tcp
86 and tls.established: true
87 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
88 and not destination.ip:(
89 10.0.0.0/8 or
90 100.64.0.0/10 or
91 127.0.0.0/8 or
92 169.254.0.0/16 or
93 172.16.0.0/12 or
94 192.0.0.0/24 or
95 192.0.0.0/29 or
96 192.0.0.10/32 or
97 192.0.0.170/32 or
98 192.0.0.171/32 or
99 192.0.0.8/32 or
100 192.0.0.9/32 or
101 192.0.2.0/24 or
102 192.168.0.0/16 or
103 192.175.48.0/24 or
104 192.31.196.0/24 or
105 192.52.193.0/24 or
106 192.88.99.0/24 or
107 198.18.0.0/15 or
108 198.51.100.0/24 or
109 203.0.113.0/24 or
110 224.0.0.0/4 or
111 240.0.0.0/4 or
112 "::1" or
113 "FE80::/10" or
114 "FF00::/8"
115 )
116 and (
117 tls.version:(1.0 or 1.1) or
118 (tls.version_protocol:ssl and tls.version:3.0) or
119 (
120 not tls.version:1.3 and (
121 tls.cipher:(
122 *RC4* or
123 *3DES* or
124 *NULL* or
125 *EXPORT* or
126 *_anon_* or
127 *ADH* or
128 *AECDH*
129 )
130 )
131 )
132 )
133'''
134
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138[[rule.threat.technique]]
139id = "T1557"
140name = "Adversary-in-the-Middle"
141reference = "https://attack.mitre.org/techniques/T1557/"
142
143
144[rule.threat.tactic]
145id = "TA0006"
146name = "Credential Access"
147reference = "https://attack.mitre.org/tactics/TA0006/"
148[[rule.threat]]
149framework = "MITRE ATT&CK"
150[[rule.threat.technique]]
151id = "T1573"
152name = "Encrypted Channel"
153reference = "https://attack.mitre.org/techniques/T1573/"
154
155
156[rule.threat.tactic]
157id = "TA0011"
158name = "Command and Control"
159reference = "https://attack.mitre.org/tactics/TA0011/"
160
161[rule.new_terms]
162field = "new_terms_fields"
163value = ["source.ip", "destination.ip", "tls.version"]
164[[rule.new_terms.history_window_start]]
165field = "history_window_start"
166value = "now-7d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally
TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.
Possible investigation steps
- Review
source.ip,destination.ip,destination.port,tls.version,tls.version_protocol, andtls.cipher. - Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
- Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
- Compare against baseline: does this destination normally negotiate modern TLS from other clients?
False positive analysis
- Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
- Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm
whether the server accepted the weak option (this rule requires
tls.established:true).
Response and remediation
- Block or proxy traffic to the destination if downgrade appears attacker-driven.
- Patch or replace the client or server that accepted deprecated TLS.
- Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.
References
Related rules
- Multiple DHCP Servers Responding to the Same Transaction
- Potential DHCP Starvation via High Client MAC Cardinality
- Web Server Potential SQL Injection Request
- Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence
- Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts