T1573.002

Asymmetric Cryptography

Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.

Microsoft Sentinel / Defender

kusto

// T1573.002 — Asymmetric Cryptography C2 Detection
// Approach 1: LOLBin / scripting engine processes making outbound TLS/encrypted connections
let SuspiciousInitiators = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe",
  "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe"
]);
let KnownTLSPorts = dynamic([443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096]);
let SuspiciousNetworkC2 = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (SuspiciousInitiators)
| extend IsTLSPort = RemotePort in (KnownTLSPorts)
| extend IsHighNonStandardPort = RemotePort > 1024 and RemotePort !in (KnownTLSPorts)
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteIP, RemotePort, RemoteUrl,
          IsTLSPort, IsHighNonStandardPort,
          DetectionSource = "NetworkC2";
// Approach 2: Cryptographic tool and API usage — key generation, certificate operations
let CryptoToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "openssl.exe"
    or ProcessCommandLine has_any (
        "openssl genrsa", "openssl genpkey", "openssl req", "openssl s_client", "openssl s_server",
        "RSACryptoServiceProvider", "RSACng", "RSAParameters", "ECDiffieHellman",
        "New-SelfSignedCertificate", "makecert",
        "Export-PfxCertificate", "Import-PfxCertificate"
    )
    or (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-exportpfx", "-importpfx", "-MergePFX"))
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource = "CryptoTool";
// Union both detections
SuspiciousNetworkC2
| union (CryptoToolUsage | extend RemoteIP="", RemotePort=0, RemoteUrl="", IsTLSPort=false, IsHighNonStandardPort=false)
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Legitimate PowerShell automation scripts (SCCM, Intune, Ansible WinRM) making HTTPS connections for patch management, configuration management, or telemetry reporting
Developer toolchains (npm, pip, cargo, dotnet restore) invoked from cmd.exe or PowerShell to fetch packages over TLS from public registries
PKI administrators or certificate automation scripts using openssl.exe, certutil.exe, or New-SelfSignedCertificate for legitimate certificate lifecycle management
Security scanning agents (Qualys, Tenable, Rapid7) and EDR components that spawn scripting processes making TLS connections to their management infrastructure
IT remote management tools (ConfigMgr, Puppet, Chef) executing PowerShell or cmd.exe with outbound HTTPS connections to management servers

Splunk

spl

(`index=wineventlog` sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\regsvr32.exe" OR Image="*\\rundll32.exe" OR Image="*\\msbuild.exe"
   OR Image="*\\csc.exe" OR Image="*\\installutil.exe" OR Image="*\\regasm.exe"
   OR Image="*\\wmic.exe" OR Image="*\\bitsadmin.exe")
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
       OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
       OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
       OR DestinationIp="127.*" OR DestinationIp="169.254.*")
)
OR
(`index=wineventlog` sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\openssl.exe"
   OR CommandLine="*openssl genrsa*" OR CommandLine="*openssl genpkey*"
   OR CommandLine="*openssl req*" OR CommandLine="*openssl s_client*" OR CommandLine="*openssl s_server*"
   OR CommandLine="*RSACryptoServiceProvider*" OR CommandLine="*RSACng*"
   OR CommandLine="*ECDiffieHellman*" OR CommandLine="*RSAParameters*"
   OR CommandLine="*New-SelfSignedCertificate*" OR CommandLine="*makecert*"
   OR CommandLine="*Export-PfxCertificate*" OR CommandLine="*Import-PfxCertificate*"
   OR (CommandLine="*certutil*" AND (CommandLine="*-exportpfx*" OR CommandLine="*-importpfx*" OR CommandLine="*-MergePFX*"))
  )
)
| eval ProcessName=if(isnotnull(Image), mvindex(split(Image, "\\"), -1), null())
| eval EventType=case(
    EventCode="3", "TLS_Network_Connection",
    EventCode="1" AND match(CommandLine, "openssl genrsa|openssl genpkey|RSACryptoServiceProvider|RSACng|New-SelfSignedCertificate|ECDiffieHellman"), "AsymCrypto_Tool_Usage",
    EventCode="1", "Crypto_Cert_Operation",
    true(), "Other"
  )
| eval IsTLSPort=if(DestinationPort IN ("443", "8443", "4443", "8080", "8888", "8081", "9443", "2083", "2087"), 1, 0)
| eval IsHighPort=if(isnotnull(DestinationPort) AND tonumber(DestinationPort) > 1024 AND IsTLSPort=0, 1, 0)
| eval SuspicionScore=case(
    EventType="AsymCrypto_Tool_Usage" AND match(CommandLine, "openssl genrsa|openssl genpkey|RSACryptoServiceProvider|New-SelfSignedCertificate"), 2,
    EventType="TLS_Network_Connection" AND IsHighPort=1, 2,
    EventType="TLS_Network_Connection" AND IsTLSPort=1, 1,
    EventType="Crypto_Cert_Operation", 1,
    true(), 0
  )
| where SuspicionScore > 0
| table _time, host, User, ProcessName, CommandLine, ParentImage, DestinationIp, DestinationPort, EventType, IsTLSPort, IsHighPort, SuspicionScore
| sort - SuspicionScore, - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

PowerShell automation and configuration management tools making HTTPS connections to package repositories or management APIs
Developer toolchains invoked from cmd.exe or scripting engines that pull packages or binaries over TLS
PKI administrators and certificate automation accounts using openssl.exe or New-SelfSignedCertificate for legitimate certificate operations
Security scanning agents that spawn processes making TLS connections to their cloud management platforms
certutil.exe usage in automated PKI workflows for certificate import/export operations

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [network where event.action == "connection_attempted"
    and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*", "169.254.*", "::1")
    and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe")
    and (
      destination.port in (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096)
      or destination.port > 1024
    )] by process.entity_id
  [process where event.type == "start"
    and (
      process.name : "openssl.exe"
      or process.command_line : ("*openssl genrsa*", "*openssl genpkey*", "*openssl req*", "*openssl s_client*", "*openssl s_server*", "*RSACryptoServiceProvider*", "*RSACng*", "*ECDiffieHellman*", "*RSAParameters*", "*New-SelfSignedCertificate*", "*makecert*", "*Export-PfxCertificate*", "*Import-PfxCertificate*")
      or (process.name : "certutil.exe" and process.command_line : ("*-exportpfx*", "*-importpfx*", "*-MergePFX*"))
    )] by process.parent.entity_id

OR

any where
  event.category : "network"
  and event.action == "connection_attempted"
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*", "169.254.*")
  and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe")

OR

process where event.type == "start"
  and (
    process.name : "openssl.exe"
    or process.command_line : ("*openssl genrsa*", "*openssl genpkey*", "*openssl req*", "*openssl s_client*", "*openssl s_server*", "*RSACryptoServiceProvider*", "*RSACng*", "*ECDiffieHellman*", "*New-SelfSignedCertificate*", "*Export-PfxCertificate*", "*Import-PfxCertificate*")
    or (process.name : "certutil.exe" and process.command_line : ("*-exportpfx*", "*-importpfx*", "*-MergePFX*"))
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent with network monitoring

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate DevOps tooling (Ansible, Chef, Puppet) running openssl commands for certificate renewal or infrastructure provisioning on managed endpoints
Developers running PowerShell or cmd.exe scripts that establish TLS connections to known SaaS APIs or package registries (NuGet, npm) on standard ports
Security scanning tools, vulnerability assessment agents, or endpoint management platforms (SCCM, Intune sync) that use certutil for certificate trust store management
CI/CD pipeline agents (Azure DevOps, Jenkins) invoking msbuild.exe or csc.exe that make TLS calls to source repositories or artifact stores

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestinationPort,
  username AS UserName,
  "ProcessName",
  "CommandLine",
  "ParentProcessName",
  CASE
    WHEN destinationport IN (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096) THEN 'TLS_Standard_Port'
    WHEN LONG(destinationport) > 1024 THEN 'TLS_High_Port'
    ELSE 'Other'
  END AS ConnectionType,
  CASE
    WHEN "CommandLine" ILIKE '%openssl genrsa%' OR "CommandLine" ILIKE '%openssl genpkey%' OR "CommandLine" ILIKE '%RSACryptoServiceProvider%' OR "CommandLine" ILIKE '%RSACng%' OR "CommandLine" ILIKE '%ECDiffieHellman%' OR "CommandLine" ILIKE '%New-SelfSignedCertificate%' THEN 2
    WHEN LONG(destinationport) > 1024 AND destinationport NOT IN (443, 8443, 4443, 8080, 8888, 8081, 9443) THEN 2
    WHEN destinationport IN (443, 8443, 4443) THEN 1
    ELSE 0
  END AS SuspicionScore
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14)
  AND starttime > NOW() - 24 HOURS
  AND (
    -- Network connection events from suspicious processes (Sysmon Event ID 3)
    (
      eventid = 3
      AND (
        "ProcessName" ILIKE '%cmd.exe'
        OR "ProcessName" ILIKE '%powershell.exe'
        OR "ProcessName" ILIKE '%pwsh.exe'
        OR "ProcessName" ILIKE '%wscript.exe'
        OR "ProcessName" ILIKE '%cscript.exe'
        OR "ProcessName" ILIKE '%mshta.exe'
        OR "ProcessName" ILIKE '%regsvr32.exe'
        OR "ProcessName" ILIKE '%rundll32.exe'
        OR "ProcessName" ILIKE '%msbuild.exe'
        OR "ProcessName" ILIKE '%csc.exe'
        OR "ProcessName" ILIKE '%installutil.exe'
        OR "ProcessName" ILIKE '%regasm.exe'
        OR "ProcessName" ILIKE '%wmic.exe'
        OR "ProcessName" ILIKE '%bitsadmin.exe'
      )
      AND destinationip NOT ILIKE '10.%'
      AND destinationip NOT ILIKE '172.16.%' AND destinationip NOT ILIKE '172.17.%'
      AND destinationip NOT ILIKE '172.18.%' AND destinationip NOT ILIKE '172.19.%'
      AND destinationip NOT ILIKE '172.20.%' AND destinationip NOT ILIKE '172.31.%'
      AND destinationip NOT ILIKE '192.168.%'
      AND destinationip NOT ILIKE '127.%'
      AND destinationip NOT ILIKE '169.254.%'
    )
    OR
    -- Cryptographic tool / API invocation (Sysmon Event ID 1)
    (
      eventid = 1
      AND (
        "ProcessName" ILIKE '%openssl.exe'
        OR "CommandLine" ILIKE '%openssl genrsa%'
        OR "CommandLine" ILIKE '%openssl genpkey%'
        OR "CommandLine" ILIKE '%openssl req%'
        OR "CommandLine" ILIKE '%openssl s_client%'
        OR "CommandLine" ILIKE '%openssl s_server%'
        OR "CommandLine" ILIKE '%RSACryptoServiceProvider%'
        OR "CommandLine" ILIKE '%RSACng%'
        OR "CommandLine" ILIKE '%ECDiffieHellman%'
        OR "CommandLine" ILIKE '%RSAParameters%'
        OR "CommandLine" ILIKE '%New-SelfSignedCertificate%'
        OR "CommandLine" ILIKE '%makecert%'
        OR "CommandLine" ILIKE '%Export-PfxCertificate%'
        OR "CommandLine" ILIKE '%Import-PfxCertificate%'
        OR ("ProcessName" ILIKE '%certutil.exe' AND (
          "CommandLine" ILIKE '%-exportpfx%'
          OR "CommandLine" ILIKE '%-importpfx%'
          OR "CommandLine" ILIKE '%-MergePFX%'
        ))
      )
    )
  )
  AND SuspicionScore > 0
ORDER BY SuspicionScore DESC, starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon (via QRadar DSM) Windows Security Event Logs

Required Tables

events

False Positives

Software deployment systems executing msiexec or msbuild over HTTPS to internal or external package repositories as part of automated patch management
Helpdesk and IT administration tools (e.g., remote support agents, SCCM client) that use certutil to manage certificate stores during routine maintenance windows
Penetration testing or red team exercises on systems where such activity is expected and authorized — correlate with change management records

Sumo Logic CSE

sql

// Approach 1: LOLBin processes making outbound TLS/non-RFC1918 connections (Sysmon EventID 3)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| parse xml "<Event><System><EventID>*</EventID>*</System><EventData>*</EventData></Event>" as EventID, SystemData, EventData nodrop
| where EventID = "3"
| parse field=EventData "<Data Name='Image'>*</Data>" as ProcessImage nodrop
| parse field=EventData "<Data Name='DestinationIp'>*</Data>" as DestinationIp nodrop
| parse field=EventData "<Data Name='DestinationPort'>*</Data>" as DestinationPort nodrop
| parse field=EventData "<Data Name='User'>*</Data>" as UserName nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| where (
    ProcessImage matches "*\\cmd.exe" OR ProcessImage matches "*\\powershell.exe" OR
    ProcessImage matches "*\\pwsh.exe" OR ProcessImage matches "*\\wscript.exe" OR
    ProcessImage matches "*\\cscript.exe" OR ProcessImage matches "*\\mshta.exe" OR
    ProcessImage matches "*\\regsvr32.exe" OR ProcessImage matches "*\\rundll32.exe" OR
    ProcessImage matches "*\\msbuild.exe" OR ProcessImage matches "*\\csc.exe" OR
    ProcessImage matches "*\\installutil.exe" OR ProcessImage matches "*\\regasm.exe" OR
    ProcessImage matches "*\\wmic.exe" OR ProcessImage matches "*\\bitsadmin.exe"
  )
| where !( DestinationIp matches "10.*" OR DestinationIp matches "172.16.*" OR
           DestinationIp matches "172.17.*" OR DestinationIp matches "172.18.*" OR
           DestinationIp matches "172.19.*" OR DestinationIp matches "172.20.*" OR
           DestinationIp matches "172.31.*" OR DestinationIp matches "192.168.*" OR
           DestinationIp matches "127.*" OR DestinationIp matches "169.254.*" )
| if (DestinationPort IN ("443","8443","4443","8080","8888","8081","9443","2083","2087","2096"), 1, 0) as IsTLSPort
| if (tonumber(DestinationPort) > 1024 AND IsTLSPort = 0, 1, 0) as IsHighPort
| if (IsHighPort = 1, 2, if (IsTLSPort = 1, 1, 0)) as SuspicionScore
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, UserName, ProcessImage, CommandLine, ParentImage, DestinationIp, DestinationPort, IsTLSPort, IsHighPort, SuspicionScore

// Approach 2: Cryptographic tool and API invocation (Sysmon EventID 1)
// Run separately or union in a scheduled search:
// (_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
// | parse xml ...
// | where EventID = "1"
// | where (
//     ProcessImage matches "*\\openssl.exe"
//     OR CommandLine matches "*openssl genrsa*" OR CommandLine matches "*openssl genpkey*"
//     OR CommandLine matches "*openssl req*" OR CommandLine matches "*openssl s_client*"
//     OR CommandLine matches "*RSACryptoServiceProvider*" OR CommandLine matches "*RSACng*"
//     OR CommandLine matches "*ECDiffieHellman*" OR CommandLine matches "*New-SelfSignedCertificate*"
//     OR CommandLine matches "*Export-PfxCertificate*" OR CommandLine matches "*Import-PfxCertificate*"
//     OR (ProcessImage matches "*\\certutil.exe" AND (
//       CommandLine matches "*-exportpfx*" OR CommandLine matches "*-importpfx*" OR CommandLine matches "*-MergePFX*"
//     ))
//   )

| sort by SuspicionScore desc, _messageTime desc
| count by _sourceHost, UserName, ProcessImage, CommandLine, ParentImage, DestinationIp, DestinationPort, SuspicionScore

high severity medium confidence

Data Sources

Sumo Logic CIP Windows Sysmon via Sumo Logic Collector Sumo Logic CSE (Cloud SIEM Enterprise)

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=WinEventLog/Sysmon

False Positives

Enterprise certificate lifecycle management tools (DigiCert, Entrust agents) invoking certutil for automated certificate enrollment or renewal on managed workstations
PowerShell-based automation scripts in DevOps environments connecting to Azure or AWS API endpoints over TLS 443 from administrative workstations
Software build servers running msbuild.exe or csc.exe that fetch dependencies or push artifacts over HTTPS as part of legitimate CI/CD pipeline activity

Google Chronicle / SecOps

yaral

rule t1573_002_asymmetric_crypto_c2 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1573.002 Asymmetric Cryptography C2: LOLBin processes making outbound TLS connections and cryptographic tool/API invocations indicative of encrypted C2 channel establishment"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1573.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-21"

  events:
    // Match network connections from LOLBin processes to public IPs
    (
      $net.metadata.event_type = "NETWORK_CONNECTION"
      AND (
        $net.principal.process.file.full_path = /(?i)(\\|\/)cmd\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)powershell\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)pwsh\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)wscript\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)cscript\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)mshta\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)regsvr32\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)rundll32\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)msbuild\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)csc\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)installutil\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)regasm\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)wmic\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)bitsadmin\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)certutil\.exe$/
      )
      AND NOT (
        $net.target.ip = "10.0.0.0/8"
        OR $net.target.ip = "172.16.0.0/12"
        OR $net.target.ip = "192.168.0.0/16"
        OR $net.target.ip = "127.0.0.0/8"
        OR $net.target.ip = "169.254.0.0/16"
      )
      AND (
        $net.target.port = 443
        OR $net.target.port = 8443
        OR $net.target.port = 4443
        OR $net.target.port = 8080
        OR $net.target.port = 8888
        OR $net.target.port = 8081
        OR $net.target.port = 9443
        OR $net.target.port = 2083
        OR $net.target.port = 2087
        OR $net.target.port = 2096
        OR $net.target.port > 1024
      )
    )
    OR
    // Match cryptographic tool and API invocations via process events
    (
      $net.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $net.principal.process.file.full_path = /(?i)(\\|\/)openssl\.exe$/
        OR $net.principal.process.command_line = /(?i)openssl (genrsa|genpkey|req|s_client|s_server)/
        OR $net.principal.process.command_line = /(?i)(RSACryptoServiceProvider|RSACng|RSAParameters|ECDiffieHellman)/
        OR $net.principal.process.command_line = /(?i)(New-SelfSignedCertificate|makecert\.exe|Export-PfxCertificate|Import-PfxCertificate)/
        OR (
          $net.principal.process.file.full_path = /(?i)(\\|\/)certutil\.exe$/
          AND $net.principal.process.command_line = /(?i)(-exportpfx|-importpfx|-MergePFX)/
        )
      )
    )

  match:
    $net.principal.hostname over 10m

  outcome:
    $risk_score = max(
      if($net.target.port > 1024 AND $net.target.port NOT IN (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096), 75, 0),
      if($net.target.port IN (443, 8443, 4443, 8080, 8888, 8081, 9443), 50, 0),
      if($net.principal.process.command_line = /(?i)(RSACryptoServiceProvider|RSACng|ECDiffieHellman|New-SelfSignedCertificate|openssl genrsa|openssl genpkey)/, 80, 0)
    )
    $target_ip = array_distinct($net.target.ip)
    $process_name = $net.principal.process.file.full_path
    $command_line = $net.principal.process.command_line
    $hostname = $net.principal.hostname
    $username = $net.principal.user.userid

  condition:
    $net
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Windows Sysmon UDM ingestion Endpoint Detection & Response telemetry via Chronicle forwarder

Required Tables

UDM events (network_connection, process_launch entity types)

False Positives

IT operations PowerShell scripts performing scheduled certificate health checks or LDAP/ADFS connectivity tests that generate TLS connections from powershell.exe to trusted internal or external endpoints
Third-party endpoint agents (antivirus update clients, MDM enrollment tools) spawning certutil or bitsadmin for certificate validation or software delivery over CDN endpoints
Developer workstations where msbuild.exe or csc.exe are invoked by IDEs (Visual Studio, Rider) that communicate with NuGet, GitHub, or Azure DevOps over HTTPS

CrowdStrike LogScale (CQL)

cql

// Approach 1: LOLBin processes making outbound connections to public IPs (Falcon NetworkConnectIP4)
#event_simpleName=NetworkConnectIP4
| FileName IN ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
               "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe",
               "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe")
| !cidr(RemoteAddressIP4, "10.0.0.0/8")
| !cidr(RemoteAddressIP4, "172.16.0.0/12")
| !cidr(RemoteAddressIP4, "192.168.0.0/16")
| !cidr(RemoteAddressIP4, "127.0.0.0/8")
| !cidr(RemoteAddressIP4, "169.254.0.0/16")
| ConnectionFlags != "1"  // exclude established/listen-only
| IsTLSPort := RemotePort IN (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096)
| IsHighPort := if(RemotePort > 1024 AND NOT IsTLSPort, true(), false())
| SuspicionScore := case {
    IsHighPort == true: 2;
    IsTLSPort == true: 1;
    default: 0
  }
| SuspicionScore > 0
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, RemoteAddressIP4, RemotePort, IsTLSPort, IsHighPort, SuspicionScore],
    function=count(aid, as=EventCount)
  )
| sort(SuspicionScore, order=desc)

// Approach 2: Cryptographic tool / API invocations (Falcon ProcessRollup2)
// Run as a separate query and correlate:
// #event_simpleName=ProcessRollup2
// | FileName = "openssl.exe"
//   OR CommandLine = /openssl (genrsa|genpkey|req|s_client|s_server)/i
//   OR CommandLine = /RSACryptoServiceProvider|RSACng|RSAParameters|ECDiffieHellman/i
//   OR CommandLine = /New-SelfSignedCertificate|makecert|Export-PfxCertificate|Import-PfxCertificate/i
//   OR (FileName = "certutil.exe" AND CommandLine = /(-exportpfx|-importpfx|-MergePFX)/i)
// | CryptoSuspicion := case {
//     CommandLine = /openssl genrsa|openssl genpkey|RSACryptoServiceProvider|RSACng|ECDiffieHellman|New-SelfSignedCertificate/i: 2;
//     CommandLine = /openssl req|openssl s_client|Export-PfxCertificate|Import-PfxCertificate|-exportpfx|-importpfx/i: 1;
//     default: 0
//   }
// | CryptoSuspicion > 0
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, CryptoSuspicion], function=count(aid, as=EventCount))
// | sort(CryptoSuspicion, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon Intelligence Falcon LogScale (Humio)

Required Tables

#event_simpleName=NetworkConnectIP4 #event_simpleName=ProcessRollup2

False Positives

Endpoint management agents and software updaters (Falcon sensor updates, OS patch tooling) that use bitsadmin.exe or certutil.exe to download signed packages from CDN endpoints over HTTPS
Legitimate scripted automation running PowerShell on server endpoints that makes regular TLS calls to monitoring APIs, ticketing systems (ServiceNow, PagerDuty), or cloud management planes
Development and build workstations where csc.exe, msbuild.exe, or installutil.exe are invoked by IDE toolchains communicating with artifact repositories or license servers over non-standard TLS ports

Last updated: 2026-04-21 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Asymmetric Cryptography

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections