AN0759: Analytic 0759
Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded.
Analyst context for executives and security teams
This analytic is valuable because it focuses on a common business blind spot: Windows processes that should not be making encrypted outbound connections but suddenly do. Encrypted TLS/SSL traffic can hide content from inspection, so the decision value is in validating whether the organization can connect process behavior, network sessions, certificate characteristics, and library loading into one defensible view.
Executive priority
Prioritize this as a coverage-validation item for managed detection, SOC readiness, and incident response evidence. Leaders should ask whether security teams can identify unexpected encrypted egress from Windows endpoints, especially when the sending process is unusual, traffic is asymmetric, or certificate chains look non-standard. This helps determine whether existing endpoint and network investments can support timely investigation without relying only on decrypted content.
Technical view
For Windows environments, validate correlation across process creation, outbound TLS/SSL session metadata, traffic volume directionality, certificate-chain observations, and evidence that unexpected network encryption libraries were loaded by the process. Because no ATT&CK tactic or related technique context is supplied, treat this as a behavioral detection analytic rather than a complete detection story. SOC teams should baseline which processes normally initiate encrypted outbound sessions and investigate deviations, especially where client-to-server bytes exceed server-to-client bytes or certificate characteristics are unusual.
Likely telemetry
- Windows process creation events
- Endpoint process-to-network connection telemetry
- Outbound TLS/SSL session metadata
- Client/server byte counts or traffic directionality
- Certificate chain metadata for outbound TLS/SSL sessions
Detection direction
- Establish baselines for Windows processes that normally initiate outbound encrypted sessions.
- Tune for processes that rarely or never create TLS/SSL connections but begin doing so.
- Correlate process creation with network session metadata rather than relying only on network indicators.
- Review asymmetric traffic patterns where the client sends more data than it receives.
- Flag non-standard certificate chains for analyst review, while accounting for legitimate enterprise proxies, internal PKI, and custom applications.
Mitigation priorities
- Confirm inventory and ownership of Windows applications expected to make outbound encrypted connections.
- Limit unnecessary outbound connectivity where business requirements allow.
- Ensure endpoint logging captures process creation, network connections, and relevant library loads.
- Ensure network monitoring records TLS/SSL metadata, certificate information, and traffic volume directionality.
- Document expected exceptions such as enterprise TLS inspection, internal PKI, update agents, and approved custom software.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and no relationship context is provided. Its strongest use is as a control-assurance question: can defenders identify unexpected encrypted outbound behavior by Windows processes and correlate it to endpoint evidence? Local baselining is essential because legitimate software, proxies, certificate inspection, and internal PKI can create similar signals.
Official detection text is not provided, tactics are not specified, and no related ATT&CK objects are supplied. This take does not infer adversary intent, active exploitation, attribution, impact, or coverage beyond the Windows platform and analytic description provided.
Analytic 0759
Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 821bea6c90e1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0759Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.