Suspect HTTPS Activity

Triggers:

• Suspect HTTPS Activity Detections are based upon the HTTPS (TLS/SSL) protocol.  
• These are high fidelity indicators which are usually looking for known certificates or attributes of the TLS/SSL negotiation associated with malware and attack tools.

Possible Root Causes:

• A host is compromised with malware and initiates a connection to an external resource over the HTTPS protocol.
• Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment.  These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the HTTPS detection details is consistent with public resources of threat information.
• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

‍