Skip to content

DET0273 Detection Strategy for Encrypted Channel across OS Platforms

Item Value
ID DET0273
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1573 (Encrypted Channel)

Analytics

Windows

AN0759

Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
AllowedEncryptedProcesses Whitelist processes expected to use TLS (e.g., browsers, mail clients).
EntropyThreshold Payload randomness threshold to distinguish C2 encryption from legitimate traffic.
TimeWindow Correlation window between process creation, module load, and encrypted connection.

Linux

AN0760

Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL socket/connect with TLS context by unexpected process
Application Log Content (DC0038) linux:syslog system daemons initiating TLS sessions outside expected services
Process Creation (DC0032) linux:osquery Processes linked with libssl or crypto libraries making outbound connections
Mutable Elements
Field Description
WhitelistedDaemons Legitimate system services expected to use TLS (e.g., package updates).
CertificateAuthorities Trusted CAs; flag self-signed or unrecognized certs.

macOS

AN0761

Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog Encrypted session initiation by unexpected binary
Process Creation (DC0032) macos:unifiedlog Process invoking SSL routines from Security framework
Mutable Elements
Field Description
DoHResolvers Known legitimate DoH endpoints to reduce false positives.
PayloadEntropyThreshold High-entropy traffic deviations used to detect concealed channels.

ESXi

AN0762

VMware management daemons or guest processes initiating encrypted connections outside expected vCenter, update servers, or internal comms. Defender identifies hostd or vpxa initiating outbound TLS flows with uncommon destinations.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:vpxd TLS session established by ESXi service to unapproved endpoint
Network Traffic Content (DC0085) esxi:vmkernel Inspection of sockets showing encrypted sessions from non-baseline processes
Mutable Elements
Field Description
AllowedMgmtHosts Baseline approved endpoints for vCenter or update services.

Network Devices

AN0763

Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) NSM:Flow Session records with TLS-like byte patterns
Network Traffic Content (DC0085) NSM:Connections Abnormal certificate chains or non-standard ports carrying TLS
Mutable Elements
Field Description
PortProfiles Define expected TLS port usage to flag anomalies.
TrafficAsymmetryRatio Sent/received byte thresholds to catch hidden C2.