Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| AllowedEncryptedProcesses | Whitelist processes expected to use TLS (e.g., browsers, mail clients). |
| EntropyThreshold | Payload randomness threshold to distinguish C2 encryption from legitimate traffic. |
| TimeWindow | Correlation window between process creation, module load, and encrypted connection. |
Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | socket/connect with TLS context by unexpected process |
| Application Log Content (DC0038) | linux:syslog | system daemons initiating TLS sessions outside expected services |
| Process Creation (DC0032) | linux:osquery | Processes linked with libssl or crypto libraries making outbound connections |
| Field | Description |
|---|---|
| WhitelistedDaemons | Legitimate system services expected to use TLS (e.g., package updates). |
| CertificateAuthorities | Trusted CAs; flag self-signed or unrecognized certs. |
Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | Encrypted session initiation by unexpected binary |
| Process Creation (DC0032) | macos:unifiedlog | Process invoking SSL routines from Security framework |
| Field | Description |
|---|---|
| DoHResolvers | Known legitimate DoH endpoints to reduce false positives. |
| PayloadEntropyThreshold | High-entropy traffic deviations used to detect concealed channels. |
VMware management daemons or guest processes initiating encrypted connections outside expected vCenter, update servers, or internal comms. Defender identifies hostd or vpxa initiating outbound TLS flows with uncommon destinations.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:vpxd | TLS session established by ESXi service to unapproved endpoint |
| Network Traffic Content (DC0085) | esxi:vmkernel | Inspection of sockets showing encrypted sessions from non-baseline processes |
| Field | Description |
|---|---|
| AllowedMgmtHosts | Baseline approved endpoints for vCenter or update services. |
Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | Session records with TLS-like byte patterns |
| Network Traffic Content (DC0085) | NSM:Connections | Abnormal certificate chains or non-standard ports carrying TLS |
| Field | Description |
|---|---|
| PortProfiles | Define expected TLS port usage to flag anomalies. |
| TrafficAsymmetryRatio | Sent/received byte thresholds to catch hidden C2. |