Detect Asymmetric Cryptography in Elastic Security
Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1573 Encrypted Channel
- Sub-technique
- T1573.002 Asymmetric Cryptography
- Canonical reference
- https://attack.mitre.org/techniques/T1573/002/
Elastic Detection Query
sequence by host.id with maxspan=5m
[network where event.action == "connection_attempted"
and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*", "169.254.*", "::1")
and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe")
and (
destination.port in (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096)
or destination.port > 1024
)] by process.entity_id
[process where event.type == "start"
and (
process.name : "openssl.exe"
or process.command_line : ("*openssl genrsa*", "*openssl genpkey*", "*openssl req*", "*openssl s_client*", "*openssl s_server*", "*RSACryptoServiceProvider*", "*RSACng*", "*ECDiffieHellman*", "*RSAParameters*", "*New-SelfSignedCertificate*", "*makecert*", "*Export-PfxCertificate*", "*Import-PfxCertificate*")
or (process.name : "certutil.exe" and process.command_line : ("*-exportpfx*", "*-importpfx*", "*-MergePFX*"))
)] by process.parent.entity_id
OR
any where
event.category : "network"
and event.action == "connection_attempted"
and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*", "169.254.*")
and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe")
OR
process where event.type == "start"
and (
process.name : "openssl.exe"
or process.command_line : ("*openssl genrsa*", "*openssl genpkey*", "*openssl req*", "*openssl s_client*", "*openssl s_server*", "*RSACryptoServiceProvider*", "*RSACng*", "*ECDiffieHellman*", "*New-SelfSignedCertificate*", "*Export-PfxCertificate*", "*Import-PfxCertificate*")
or (process.name : "certutil.exe" and process.command_line : ("*-exportpfx*", "*-importpfx*", "*-MergePFX*"))
)Detects asymmetric cryptography C2 activity via two approaches: (1) LOLBin and scripting engine processes (cmd, PowerShell, wscript, mshta, regsvr32, rundll32, etc.) initiating outbound TLS connections on standard or high non-standard ports to public IP addresses, and (2) cryptographic tool or API invocations including openssl key generation, .NET RSA/ECDH API usage, and certificate export/import operations that may indicate encrypted C2 channel establishment.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DevOps tooling (Ansible, Chef, Puppet) running openssl commands for certificate renewal or infrastructure provisioning on managed endpoints
- Developers running PowerShell or cmd.exe scripts that establish TLS connections to known SaaS APIs or package registries (NuGet, npm) on standard ports
- Security scanning tools, vulnerability assessment agents, or endpoint management platforms (SCCM, Intune sync) that use certutil for certificate trust store management
- CI/CD pipeline agents (Azure DevOps, Jenkins) invoking msbuild.exe or csc.exe that make TLS calls to source repositories or artifact stores
Other platforms for T1573.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RSA Key Pair Generation via OpenSSL Command Line
Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.
- Test 2In-Memory RSA Encryption via PowerShell .NET API
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.
- Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)
Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.
- Test 4Self-Signed Certificate Generation for Adversary C2 Server
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.
References (14)
- https://attack.mitre.org/techniques/T1573/002/
- http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
- https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://github.com/salesforce/ja3
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/
- https://securelist.com/apt10-sophisticated-multi-layered-loader-rosneft/101524/
- https://www.blackberry.com/us/en/solutions/endpoint-security/cylanceprotect/research/2020/costaricto
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsacryptoserviceprovider
- https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573.002/T1573.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
Unlock Pro Content
Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.