Encrypted Traffic Collection

Encrypted Traffic Collection

The Encrypted Traffic Collection offers dozens of unique insights into SSL, SSH, and RDP connections along with top encrypted insights from the Zeek® community like JA3 — all without decryption.

Encrypted Traffic Collection

Insights

Custom encryption detection

Detect connections that are already encrypted without an observed handshake, which can indicate custom or pre-negotiated encryption

DNS over HTTPs (DoH) detection

Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden

Expected encryption detection

Identify unencrypted connections running on ports where encryption is expected

RDP authentication inferences

Generate inferences about the method of authentication used by the RDP client

RDP brute force detection

Reveal when an RDP client makes excessive authentication attempts and also succeeds

RDP client inferences

Generate inferences about the type of an RDP client used

RDP excessive channel join detections

Reveal when an RDP client exceeds a set threshold for the number of channel joins

SSH agent forwarding detection

See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials

SSH authentication bypass detection

Reveal when a client and server switch to a non-SSH protocol

SSH client bruteforce detection

Reveal when an SSH client makes excessive authentication attempts

SSH client file activity detection

Reveal when a client transfers a file to a server or vice versa

SSH client keystroke detection

Reveal an interactive session where a client sends user-driven keystrokes to the server

SSH fingerprinting (HASSH)

Create a hash of every SSH client and server negotiation for use in threat hunting or intel feed matching

SSH MFA detection

See when SSH connections use multifactor authentication (MFA), which can help analysts rule other explanations for observed timing discrepancies in SSH connections, and help teams monitor external SSH servers for MFA compliance

Non-interactive SSH detection

Reveal when SSH connections do not request an interactive terminal, but instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling

SSH reverse tunnel detection

Reveal when a client connects to an SSH server and sends the server an interactive terminal, establishing a reverse SSH tunnel that may indicate malicious SSH tunnelling

SSH scan detection

Infer scanning activity based on how often a single service is scanned

SSL certificate monitoring

Track expired and soon-to-expire certs, newly issued certs, self-signed certs, invalid certs, change-validation errors, old versions, weak ciphers, weak key-lengths, and bad versions (e.g., TLS 1.0)

SSL fingerprinting (JA3)

Create a hash of every SSL/TLS client and server negotiation for use in threat hunting or intel feed matching

Watch a demo:

Watch an on-demand webinar: