Deprecated TLS Version or Weak Cipher Negotiated Externally

Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/25"
  3integration = ["network_traffic"]
  4maturity = "production"
  5updated_date = "2026/06/25"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or
 11weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy
 12malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS
 131.2 or 1.3 with strong ciphers on internet-bound connections.
 14"""
 15false_positives = [
 16    """
 17    Legacy internal applications, industrial control systems, or embedded devices may still require deprecated TLS
 18    versions or weak ciphers. Exclude known legacy destination IPs or subnets after validation.
 19    """,
 20]
 21from = "now-9m"
 22index = ["logs-network_traffic.tls-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "Deprecated TLS Version or Weak Cipher Negotiated Externally"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally
 32
 33TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed
 34outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a
 35cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.
 36
 37### Possible investigation steps
 38
 39- Review `source.ip`, `destination.ip`, `destination.port`, `tls.version`, `tls.version_protocol`, and `tls.cipher`.
 40- Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
 41- Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
 42- Compare against baseline: does this destination normally negotiate modern TLS from other clients?
 43
 44### False positive analysis
 45
 46- Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
 47- Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm
 48  whether the server accepted the weak option (this rule requires `tls.established:true`).
 49
 50### Response and remediation
 51
 52- Block or proxy traffic to the destination if downgrade appears attacker-driven.
 53- Patch or replace the client or server that accepted deprecated TLS.
 54- Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.
 55"""
 56references = [
 57    "https://attack.mitre.org/techniques/T1557/",
 58    "https://www.elastic.co/docs/reference/integrations/network_traffic",
 59    "https://www.elastic.co/docs/reference/ecs/ecs-tls",
 60    "https://www.rfc-editor.org/rfc/rfc9325.html",
 61]
 62risk_score = 47
 63rule_id = "d994a184-ab93-4cff-8fb6-31a4b4dd18b1"
 64setup = """## Setup
 65
 66This rule requires TLS metadata from the Elastic network_traffic integration (`network_traffic.tls` data stream) that
 67populates ECS `tls.version`, `tls.version_protocol`, `tls.cipher`, and `tls.established` fields.
 68"""
 69severity = "medium"
 70tags = [
 71    "Domain: Network",
 72    "Use Case: Network Security Monitoring",
 73    "Use Case: Threat Detection",
 74    "Data Source: Network Traffic",
 75    "Tactic: Credential Access",
 76    "Tactic: Command and Control",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "new_terms"
 81
 82query = '''
 83data_stream.dataset:network_traffic.tls
 84  and network.protocol: tls
 85  and network.transport: tcp
 86  and tls.established: true
 87  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 88  and not destination.ip:(
 89    10.0.0.0/8 or
 90    100.64.0.0/10 or
 91    127.0.0.0/8 or
 92    169.254.0.0/16 or
 93    172.16.0.0/12 or
 94    192.0.0.0/24 or
 95    192.0.0.0/29 or
 96    192.0.0.10/32 or
 97    192.0.0.170/32 or
 98    192.0.0.171/32 or
 99    192.0.0.8/32 or
100    192.0.0.9/32 or
101    192.0.2.0/24 or
102    192.168.0.0/16 or
103    192.175.48.0/24 or
104    192.31.196.0/24 or
105    192.52.193.0/24 or
106    192.88.99.0/24 or
107    198.18.0.0/15 or
108    198.51.100.0/24 or
109    203.0.113.0/24 or
110    224.0.0.0/4 or
111    240.0.0.0/4 or
112    "::1" or
113    "FE80::/10" or
114    "FF00::/8"
115  )
116  and (
117    tls.version:(1.0 or 1.1) or
118    (tls.version_protocol:ssl and tls.version:3.0) or
119    (
120      not tls.version:1.3 and (
121        tls.cipher:(
122          *RC4* or
123          *3DES* or
124          *NULL* or
125          *EXPORT* or
126          *_anon_* or
127          *ADH* or
128          *AECDH*
129        )
130      )
131    )
132  )
133'''
134
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138[[rule.threat.technique]]
139id = "T1557"
140name = "Adversary-in-the-Middle"
141reference = "https://attack.mitre.org/techniques/T1557/"
142
143
144[rule.threat.tactic]
145id = "TA0006"
146name = "Credential Access"
147reference = "https://attack.mitre.org/tactics/TA0006/"
148[[rule.threat]]
149framework = "MITRE ATT&CK"
150[[rule.threat.technique]]
151id = "T1573"
152name = "Encrypted Channel"
153reference = "https://attack.mitre.org/techniques/T1573/"
154
155
156[rule.threat.tactic]
157id = "TA0011"
158name = "Command and Control"
159reference = "https://attack.mitre.org/tactics/TA0011/"
160
161[rule.new_terms]
162field = "new_terms_fields"
163value = ["source.ip", "destination.ip", "tls.version"]
164[[rule.new_terms.history_window_start]]
165field = "history_window_start"
166value = "now-7d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally

TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.

Possible investigation steps

  • Review source.ip, destination.ip, destination.port, tls.version, tls.version_protocol, and tls.cipher.
  • Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
  • Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
  • Compare against baseline: does this destination normally negotiate modern TLS from other clients?

False positive analysis

  • Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
  • Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm whether the server accepted the weak option (this rule requires tls.established:true).

Response and remediation

  • Block or proxy traffic to the destination if downgrade appears attacker-driven.
  • Patch or replace the client or server that accepted deprecated TLS.
  • Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.

References

Related rules

to-top