← Back to Explore
elasticmediumTTP
Deprecated TLS Version or Weak Cipher Negotiated Externally
Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.
Detection Query
data_stream.dataset:network_traffic.tls
and network.protocol: tls
and network.transport: tcp
and tls.established: true
and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
and not destination.ip:(
10.0.0.0/8 or
100.64.0.0/10 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.2.0/24 or
192.168.0.0/16 or
192.175.48.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.88.99.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
224.0.0.0/4 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
)
and (
tls.version:(1.0 or 1.1) or
(tls.version_protocol:ssl and tls.version:3.0) or
(
not tls.version:1.3 and (
tls.cipher:(
*RC4* or
*3DES* or
*NULL* or
*EXPORT* or
*_anon_* or
*ADH* or
*AECDH*
)
)
)
)
Author
Elastic
Created
2026/06/25
Data Sources
Network Trafficlogs-network_traffic.tls-*
References
Tags
Domain: NetworkUse Case: Network Security MonitoringUse Case: Threat DetectionData Source: Network TrafficTactic: Credential AccessTactic: Command and ControlResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/25"
integration = ["network_traffic"]
maturity = "production"
updated_date = "2026/06/25"
[rule]
author = ["Elastic"]
description = """
Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or
weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy
malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS
1.2 or 1.3 with strong ciphers on internet-bound connections.
"""
false_positives = [
"""
Legacy internal applications, industrial control systems, or embedded devices may still require deprecated TLS
versions or weak ciphers. Exclude known legacy destination IPs or subnets after validation.
""",
]
from = "now-9m"
index = ["logs-network_traffic.tls-*"]
language = "kuery"
license = "Elastic License v2"
name = "Deprecated TLS Version or Weak Cipher Negotiated Externally"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally
TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed
outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a
cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.
### Possible investigation steps
- Review `source.ip`, `destination.ip`, `destination.port`, `tls.version`, `tls.version_protocol`, and `tls.cipher`.
- Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
- Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
- Compare against baseline: does this destination normally negotiate modern TLS from other clients?
### False positive analysis
- Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
- Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm
whether the server accepted the weak option (this rule requires `tls.established:true`).
### Response and remediation
- Block or proxy traffic to the destination if downgrade appears attacker-driven.
- Patch or replace the client or server that accepted deprecated TLS.
- Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.
"""
references = [
"https://attack.mitre.org/techniques/T1557/",
"https://www.elastic.co/docs/reference/integrations/network_traffic",
"https://www.elastic.co/docs/reference/ecs/ecs-tls",
"https://www.rfc-editor.org/rfc/rfc9325.html",
]
risk_score = 47
rule_id = "d994a184-ab93-4cff-8fb6-31a4b4dd18b1"
setup = """## Setup
This rule requires TLS metadata from the Elastic network_traffic integration (`network_traffic.tls` data stream) that
populates ECS `tls.version`, `tls.version_protocol`, `tls.cipher`, and `tls.established` fields.
"""
severity = "medium"
tags = [
"Domain: Network",
"Use Case: Network Security Monitoring",
"Use Case: Threat Detection",
"Data Source: Network Traffic",
"Tactic: Credential Access",
"Tactic: Command and Control",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
data_stream.dataset:network_traffic.tls
and network.protocol: tls
and network.transport: tcp
and tls.established: true
and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
and not destination.ip:(
10.0.0.0/8 or
100.64.0.0/10 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.2.0/24 or
192.168.0.0/16 or
192.175.48.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.88.99.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
224.0.0.0/4 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
)
and (
tls.version:(1.0 or 1.1) or
(tls.version_protocol:ssl and tls.version:3.0) or
(
not tls.version:1.3 and (
tls.cipher:(
*RC4* or
*3DES* or
*NULL* or
*EXPORT* or
*_anon_* or
*ADH* or
*AECDH*
)
)
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1557"
name = "Adversary-in-the-Middle"
reference = "https://attack.mitre.org/techniques/T1557/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1573"
name = "Encrypted Channel"
reference = "https://attack.mitre.org/techniques/T1573/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.new_terms]
field = "new_terms_fields"
value = ["source.ip", "destination.ip", "tls.version"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"