T1573.002 Google Chronicle · YARA-L

Detect Asymmetric Cryptography in Google Chronicle

Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.002 Asymmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1573_002_asymmetric_crypto_c2 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1573.002 Asymmetric Cryptography C2: LOLBin processes making outbound TLS connections and cryptographic tool/API invocations indicative of encrypted C2 channel establishment"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1573.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-21"

  events:
    // Match network connections from LOLBin processes to public IPs
    (
      $net.metadata.event_type = "NETWORK_CONNECTION"
      AND (
        $net.principal.process.file.full_path = /(?i)(\\|\/)cmd\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)powershell\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)pwsh\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)wscript\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)cscript\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)mshta\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)regsvr32\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)rundll32\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)msbuild\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)csc\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)installutil\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)regasm\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)wmic\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)bitsadmin\.exe$/
        OR $net.principal.process.file.full_path = /(?i)(\\|\/)certutil\.exe$/
      )
      AND NOT (
        $net.target.ip = "10.0.0.0/8"
        OR $net.target.ip = "172.16.0.0/12"
        OR $net.target.ip = "192.168.0.0/16"
        OR $net.target.ip = "127.0.0.0/8"
        OR $net.target.ip = "169.254.0.0/16"
      )
      AND (
        $net.target.port = 443
        OR $net.target.port = 8443
        OR $net.target.port = 4443
        OR $net.target.port = 8080
        OR $net.target.port = 8888
        OR $net.target.port = 8081
        OR $net.target.port = 9443
        OR $net.target.port = 2083
        OR $net.target.port = 2087
        OR $net.target.port = 2096
        OR $net.target.port > 1024
      )
    )
    OR
    // Match cryptographic tool and API invocations via process events
    (
      $net.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $net.principal.process.file.full_path = /(?i)(\\|\/)openssl\.exe$/
        OR $net.principal.process.command_line = /(?i)openssl (genrsa|genpkey|req|s_client|s_server)/
        OR $net.principal.process.command_line = /(?i)(RSACryptoServiceProvider|RSACng|RSAParameters|ECDiffieHellman)/
        OR $net.principal.process.command_line = /(?i)(New-SelfSignedCertificate|makecert\.exe|Export-PfxCertificate|Import-PfxCertificate)/
        OR (
          $net.principal.process.file.full_path = /(?i)(\\|\/)certutil\.exe$/
          AND $net.principal.process.command_line = /(?i)(-exportpfx|-importpfx|-MergePFX)/
        )
      )
    )

  match:
    $net.principal.hostname over 10m

  outcome:
    $risk_score = max(
      if($net.target.port > 1024 AND $net.target.port NOT IN (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096), 75, 0),
      if($net.target.port IN (443, 8443, 4443, 8080, 8888, 8081, 9443), 50, 0),
      if($net.principal.process.command_line = /(?i)(RSACryptoServiceProvider|RSACng|ECDiffieHellman|New-SelfSignedCertificate|openssl genrsa|openssl genpkey)/, 80, 0)
    )
    $target_ip = array_distinct($net.target.ip)
    $process_name = $net.principal.process.file.full_path
    $command_line = $net.principal.process.command_line
    $hostname = $net.principal.hostname
    $username = $net.principal.user.userid

  condition:
    $net
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting T1573.002 asymmetric cryptography C2 indicators. The rule matches two key behavioral patterns: (1) LOLBin and scripting engine processes (cmd, PowerShell, wscript, mshta, regsvr32, rundll32, msbuild, certutil, etc.) initiating outbound network connections to non-RFC1918 IPs on TLS or high non-standard ports, and (2) cryptographic tool/API invocations including openssl key generation commands, .NET RSA/ECDH class usage, and certificate export/import operations. Risk scoring distinguishes high-port connections and direct crypto API usage as higher confidence signals.

Data Sources

Google Chronicle SIEMWindows Sysmon UDM ingestionEndpoint Detection & Response telemetry via Chronicle forwarder

Required Tables

UDM events (network_connection, process_launch entity types)

False Positives & Tuning

  • IT operations PowerShell scripts performing scheduled certificate health checks or LDAP/ADFS connectivity tests that generate TLS connections from powershell.exe to trusted internal or external endpoints
  • Third-party endpoint agents (antivirus update clients, MDM enrollment tools) spawning certutil or bitsadmin for certificate validation or software delivery over CDN endpoints
  • Developer workstations where msbuild.exe or csc.exe are invoked by IDEs (Visual Studio, Rider) that communicate with NuGet, GitHub, or Azure DevOps over HTTPS
Download portable Sigma rule (.yml)

Other platforms for T1573.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RSA Key Pair Generation via OpenSSL Command Line

    Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.

  2. Test 2In-Memory RSA Encryption via PowerShell .NET API

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.

  3. Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.

  4. Test 4Self-Signed Certificate Generation for Adversary C2 Server

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.001Symmetric Cryptography

Related Techniques

T1573.001Symmetric CryptographyT1071.001Web ProtocolsT1071Application Layer ProtocolT1572Protocol TunnelingT1090ProxyT1568.002Domain Generation AlgorithmsT1553Subvert Trust ControlsT1001Data ObfuscationT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections