Detects the execution of non-browser processes establishing outbound encrypted network connections using uncommon symmetric encryption protocols (e.g., AES via PowerShell or custom scripts) to alternate external destinations.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| PayloadEntropyThreshold | Flag high-entropy payloads sent over unexpected protocols. |
| TimeWindow | Define allowable transfer window (e.g., abnormal traffic outside business hours). |
| ExecutableAllowlist | List of known-good binaries for encrypted traffic (e.g., Chrome, Outlook). |
Detects command-line utilities or scripts using encryption libraries or symmetric algorithms (e.g., OpenSSL AES, GPG, Python + PyCrypto) in conjunction with outbound file transfers or traffic to external destinations.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| Network Traffic Flow (DC0078) | NSM:Flow | conn.log or flow data |
| Network Traffic Content (DC0085) | NSM:Flow | ssl.log (for TLS handshake analysis), dns.log (tunneling indicators) |
| Field | Description |
|---|---|
| FileTransferIndicator | Threshold for transferred data size or extension type. |
| LibraryCallTracking | Hooks into use of encryption libraries like `libcrypto.so`, `pycrypto`, `gpg`. |
Detects symmetric key-based encryption operations (e.g., AES via Python, AppleScript, or OpenSSL) followed by unusual outbound connections from non-browser applications or scripted tools.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | log stream process subsystem |
| Network Traffic Flow (DC0078) | macos:osquery | socket_events |
| Network Connection Creation (DC0082) | macos:unifiedlog | log stream network activity |
| Field | Description |
|---|---|
| ApplicationProfileBaseline | Expected outbound connection profiles per app. |
| EncryptionRoutinePattern | Indicators of manual encryption operations (e.g., script strings invoking AES). |
Detects unexpected encrypted egress traffic from management services (e.g., hostd) or guest VMs utilizing symmetric encryption without traditional protocols (e.g., FTP with embedded AES ciphertext).
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:vmkernel | egress log analysis |
| Command Execution (DC0064) | esxi:hostd | execution + payload hints |
| Network Traffic Content (DC0085) | NSM:Flow | host switch egress data |
| Field | Description |
|---|---|
| GuestVMExfilWatchlist | VMs with data sensitivity labels or outside normal behavior. |
| ServiceEgressProfile | Expected egress destinations and volume for core services. |