AN0763: Analytic 0763
Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios.
Analyst context for executives and security teams
Analytic 0763 highlights a network detection idea for spotting unusual TLS-encrypted tunnels on ports that are not normally expected to carry encrypted traffic, such as TLS on 8080 or 53. For leaders, the value is not that a specific threat is proven, but that encrypted traffic can hide activity from content inspection unless the organization has enough network metadata and inspection capability to notice abnormal protocol-to-port use and traffic patterns.
Executive priority
Prioritize this as a network visibility and SOC readiness question: can the organization identify encrypted tunnels where they do not belong, especially on network-device-monitored paths? This matters for incident triage, compliance evidence around monitoring controls, and operational resilience because encrypted channels on unexpected ports may bypass assumptions in firewall, proxy, or monitoring designs.
Technical view
SOC and detection engineering teams should validate whether NetFlow/IPFIX, packet inspection, or equivalent network telemetry can identify TLS traffic on non-standard or unexpected ports and correlate it with high-entropy traffic volumes and asymmetric client/server exchange ratios. Because the ATT&CK object does not specify tactics or related techniques, use this analytic as a visibility-control test rather than a standalone verdict of malicious behavior.
Likely telemetry
- NetFlow or IPFIX records from network devices
- Packet inspection or protocol-identification metadata
- Destination port and detected protocol fields
- Traffic volume and byte-count ratios by client and server direction
- Entropy or encrypted-traffic indicators where available
Detection direction
- Validate that monitoring distinguishes detected protocol from declared port, rather than assuming port 443 is the only relevant TLS path.
- Baseline legitimate TLS use on non-standard ports to reduce false positives, including administrative tools, proxies, application platforms, and approved services.
- Tune for combinations of unusual TLS port use, high traffic entropy, sustained volume, and asymmetric client/server exchange ratios rather than port mismatch alone.
- Confirm whether network-device telemetry covers the paths where this behavior would appear; blind spots may exist where flows bypass monitored choke points or where only coarse logs are retained.
- Treat alerts as triage leads requiring endpoint, DNS, proxy, firewall, and asset-context enrichment before escalation.
Mitigation priorities
- Establish policy and asset owner approval for services allowed to use TLS on non-standard ports.
- Improve network metadata collection first, especially NetFlow/IPFIX and protocol-identification coverage on key network devices.
- Use segmentation, firewall, and proxy policy to restrict unexpected encrypted traffic where business use is not justified.
- Document approved exceptions so SOC tuning and audit evidence can distinguish sanctioned encrypted services from unexplained tunnels.
- Review retention and investigation workflows so responders can reconstruct source, destination, port, protocol, volume, and timing during an incident.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. Its practical value is in testing whether the organization can see protocol misuse and encrypted traffic anomalies on network devices. The supplied ATT&CK fields provide no relationship context, no tactic mapping, and no official detection text beyond the description, so conclusions should be tied to local baselines and telemetry quality.
No relationships, tactics, aliases, or formal detection logic were supplied. The analytic does not prove malicious activity by itself and does not identify a specific adversary, technique, campaign, or impact. Environment-specific baselines are required to determine whether TLS on ports such as 8080 or 53 is suspicious or approved.
Analytic 0763
Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2eccf7c8984f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0763Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.