Detects non-browser processes that establish encrypted outbound connections (e.g., TLS/SSL) to unfamiliar or atypical destinations for the host/user, following a data staging or compression event.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Network Traffic Content (DC0085) | NSM:Flow | ssl.log - Certificate Analysis |
| Field | Description |
|---|---|
| TimeWindow | Correlates file access, encryption, and network transmission within a timeframe (e.g., 5 minutes). |
| CertificateIssuerDenylist | Blocks or flags untrusted certificate authorities in SSL/TLS handshakes. |
| BinaryAllowlist | Whitelist for known-good applications allowed to use encrypted outbound traffic. |
Detects staged file access (e.g., archive or obfuscation), followed by an encrypted outbound connection (TLS/HTTPS) from unusual processes such as curl/wget, Python scripts, or custom binaries.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| Network Traffic Content (DC0085) | NSM:Flow | ssl.log, conn.log |
| File Access (DC0055) | auditd:SYSCALL | open, read |
| Field | Description |
|---|---|
| ConnectionDestinationScope | Restrict outbound connections to non-corporate domains or IPs. |
| FileAccessExtensionList | List of extensions considered sensitive or exfil-worthy (e.g., .zip, .db, .xlsx). |
| SSLClientProcessBaseline | Define normal encrypted-traffic-capable binaries. |
Detects abnormal encrypted network connections (via TLS/HTTPS) initiated by non-browser binaries, particularly after sensitive file access or compression events.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | macos:osquery | socket_events |
| Process Creation (DC0032) | macos:osquery | process_events |
| File Access (DC0055) | macos:unifiedlog | log stream - file provider subsystem |
| Network Traffic Content (DC0085) | NSM:Flow | ssl.log, x509.log |
| Field | Description |
|---|---|
| OutboundTrafficVolumeThreshold | Trigger detection for large amounts of outbound encrypted data. |
| FileSensitivityContext | Tagging and prioritizing high-value directories/files in detection logic. |
Detects unexpected encrypted outbound connections from management components or guest VMs using TLS, particularly after data volume spikes or script-based orchestration from within guest environments.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:hostd | event stream |
| Network Traffic Flow (DC0078) | esxi:vmkernel | egress logs |
| Field | Description |
|---|---|
| VMToEgressPathWatchlist | Expected traffic routes for monitored VMs. |
| TLSClientAppIdentifier | Applications allowed to initiate TLS sessions from hypervisor level. |