<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Downgrade - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/downgrade/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 01:52:51 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/downgrade/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detection of Deprecated TLS Version or Weak Cipher Negotiated Externally</title><link>https://feed.craftedsignal.io/briefs/2026-07-deprecated-tls-weak-cipher/</link><pubDate>Sun, 05 Jul 2026 01:52:51 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-deprecated-tls-weak-cipher/</guid><description>This rule identifies successful outbound TLS sessions initiated by internal hosts to external destinations that utilize deprecated protocol versions (SSLv3, TLS 1.0, TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Such negotiations can indicate an Adversary-in-the-Middle attack or communication with legacy malware, allowing for traffic interception or decryption. Detection engineers should investigate the `source.ip`, `destination.ip`, `tls.version`, and `tls.cipher` to determine if the destination is a legitimate legacy system or a potential compromise, checking for concurrent alerts on the source host.</description><content:encoded><![CDATA[<p>This brief details a detection for successful outbound TLS sessions that use deprecated protocol versions (SSLv3, TLS 1.0, TLS 1.1) or weak cipher suites, including RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Threat actors, specifically Adversaries-in-the-Middle (AitM), or legacy malware commonly force these weaker negotiations to facilitate traffic decryption or interception. Modern clients and services should ideally negotiate TLS 1.2 or 1.3 with strong ciphers for all internet-bound connections. The presence of such negotiations from internal hosts to external destinations is a strong indicator of potential compromise, a configured MITM appliance, or communication with outdated and insecure endpoints. This detection is crucial for identifying potential credential access or command and control (C2) activity that relies on exploiting these cryptographic weaknesses.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise / Positioning</strong>: Adversary gains initial access to the internal network (e.g., via phishing, vulnerability exploitation) or positions themselves strategically to conduct a Man-in-the-Middle (MITM) attack on network segments.</li>
<li><strong>Network Interception / Malware Deployment</strong>: The attacker either intercepts network traffic directly (MITM) or deploys legacy malware onto an internal host that initiates outbound network connections.</li>
<li><strong>TLS Session Initiation</strong>: An internal host attempts to establish an outbound TLS session to an external destination, often for legitimate communication purposes.</li>
<li><strong>Forced Downgrade / Weak Cipher Negotiation</strong>: The adversary (in a MITM position) or the legacy malware manipulates the TLS handshake process, forcing the client and/or server to negotiate a deprecated TLS protocol version (SSLv3, TLS 1.0, TLS 1.1) or a weak cipher suite (RC4, 3DES, NULL, EXPORT, anonymous Diffie-Hellman).</li>
<li><strong>Successful Weak Negotiation</strong>: The TLS handshake successfully completes, establishing an encrypted channel using the outdated protocol or weak cipher suite, making the traffic susceptible to decryption.</li>
<li><strong>Traffic Interception/Decryption</strong>: With the weaker encryption, the adversary can now intercept and decrypt the traffic flowing over the compromised TLS session, gaining access to sensitive data such as credentials or proprietary information.</li>
<li><strong>Credential Access / Command and Control</strong>: The decrypted information is leveraged for credential harvesting and lateral movement, or the weak TLS channel is utilized by malware for resilient command and control (C2) communications with attacker infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation or utilization of deprecated TLS versions and weak ciphers by adversaries can lead to significant impact, primarily through the compromise of data confidentiality and integrity. Attackers can intercept and decrypt sensitive information, including user credentials, proprietary business data, and intellectual property, transiting over the network. This can result in unauthorized access to systems and services, data exfiltration, and a loss of trust in communications. While the brief does not specify victim counts, any organization with internal hosts communicating externally via these weak protocols is vulnerable to potential data breach and compromise, particularly within sectors handling sensitive data or operating critical infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect deprecated TLS versions and weak cipher negotiations.</li>
<li>Ensure your network traffic logging (<code>network_traffic.tls</code> data stream, or equivalent) is configured to capture TLS metadata, including <code>tls.version</code>, <code>tls.version_protocol</code>, <code>tls.cipher</code>, and <code>tls.established</code>.</li>
<li>Investigate all alerts generated by the &quot;Deprecated TLS Version or Weak Cipher Negotiated Externally&quot; rule, examining <code>source.ip</code>, <code>destination.ip</code>, <code>destination.port</code>, <code>tls.version</code>, and <code>tls.cipher</code> to differentiate between legitimate legacy systems and malicious activity.</li>
<li>Establish baselines for known legacy internal applications, industrial control systems, or embedded devices that legitimately require deprecated TLS, and create exclusions after validation to reduce false positives.</li>
<li>Implement and enforce TLS 1.2 or higher as the minimum acceptable version on all egress proxies and network gateways, and inspect for MITM appliances that might be forcing weak negotiation.</li>
<li>Block or proxy traffic to external destinations identified as engaging in suspicious weak TLS negotiations if the activity appears attacker-driven.</li>
<li>Patch or replace client and server applications/systems identified as negotiating deprecated TLS versions or weak ciphers to enforce stronger cryptographic standards.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>network</category><category>tls</category><category>credential-access</category><category>command-and-control</category><category>mitm</category><category>downgrade</category><category>weak-cipher</category></item></channel></rss>