Deprecated TLS Version or Weak Cipher Negotiated Externally
editDeprecated TLS Version or Weak Cipher Negotiated Externally
editIdentifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.
Rule type: new_terms
Rule indices:
- logs-network_traffic.tls-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Network
- Use Case: Network Security Monitoring
- Use Case: Threat Detection
- Data Source: Network Traffic
- Tactic: Credential Access
- Tactic: Command and Control
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally
TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.
Possible investigation steps
-
Review
source.ip,destination.ip,destination.port,tls.version,tls.version_protocol, andtls.cipher. - Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
- Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
- Compare against baseline: does this destination normally negotiate modern TLS from other clients?
False positive analysis
- Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
-
Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm
whether the server accepted the weak option (this rule requires
tls.established:true).
Response and remediation
- Block or proxy traffic to the destination if downgrade appears attacker-driven.
- Patch or replace the client or server that accepted deprecated TLS.
- Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.
Setup
editSetup
This rule requires TLS metadata from the Elastic network_traffic integration (network_traffic.tls data stream) that
populates ECS tls.version, tls.version_protocol, tls.cipher, and tls.established fields.
Rule query
editdata_stream.dataset:network_traffic.tls
and network.protocol: tls
and network.transport: tcp
and tls.established: true
and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
and not destination.ip:(
10.0.0.0/8 or
100.64.0.0/10 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.2.0/24 or
192.168.0.0/16 or
192.175.48.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.88.99.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
224.0.0.0/4 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
)
and (
tls.version:(1.0 or 1.1) or
(tls.version_protocol:ssl and tls.version:3.0) or
(
not tls.version:1.3 and (
tls.cipher:(
*RC4* or
*3DES* or
*NULL* or
*EXPORT* or
*_anon_* or
*ADH* or
*AECDH*
)
)
)
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Adversary-in-the-Middle
- ID: T1557
- Reference URL: https://attack.mitre.org/techniques/T1557/
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Encrypted Channel
- ID: T1573
- Reference URL: https://attack.mitre.org/techniques/T1573/