Suspect HTTPS Activity

Suspect HTTPS Activity

Detection overview

Triggers:

  • Suspect HTTPS Activity Detections are based upon the HTTPS (TLS/SSL) protocol.  
  • These are high fidelity indicators which are usually looking for known certificates or attributes of the TLS/SSL negotiation associated with malware and attack tools.

Possible Root Causes:

  • A host is compromised with malware and initiates a connection to an external resource over the HTTPS protocol.
  • Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

Business Impact:

  • Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment.  These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

  • Examine the Detection page to validate whether the HTTPS detection details is consistent with public resources of threat information.
  • Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
  • Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
  • Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
  • Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

Suspect HTTPS Activity

Possible root causes

Malicious Detection

Benign Detection

Suspect HTTPS Activity

Example scenarios

Suspect HTTPS Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Suspect HTTPS Activity

Steps to investigate

FAQs