Which SIEM platforms have a T1573.002 detection rule?

df00tech provides T1573.002 (Asymmetric Cryptography) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Asymmetric Cryptography (T1573.002)?

Detecting Asymmetric Cryptography requires the following data sources: Network Traffic: Network Connection Creation, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1573.002 detection?

The T1573.002 detection is rated medium severity with medium confidence.

What are common false positives for T1573.002?

Common false positives for T1573.002 include: Legitimate PowerShell automation scripts (SCCM, Intune, Ansible WinRM) making HTTPS connections for patch management, configuration management, or telemetry reporting; Developer toolchains (npm, pip, cargo, dotnet restore) invoked from cmd.exe or PowerShell to fetch packages over TLS from public registries; PKI administrators or certificate automation scripts using openssl.exe, certutil.exe, or New-SelfSignedCertificate for legitimate certificate lifecycle management.

T1573.002 CrowdStrike LogScale · LogScale

Detect Asymmetric Cryptography in CrowdStrike LogScale

Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1573 Encrypted Channel
Sub-technique: T1573.002 Asymmetric Cryptography
Canonical reference: https://attack.mitre.org/techniques/T1573/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

// Approach 1: LOLBin processes making outbound connections to public IPs (Falcon NetworkConnectIP4)
#event_simpleName=NetworkConnectIP4
| FileName IN ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
               "mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe",
               "installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe")
| !cidr(RemoteAddressIP4, "10.0.0.0/8")
| !cidr(RemoteAddressIP4, "172.16.0.0/12")
| !cidr(RemoteAddressIP4, "192.168.0.0/16")
| !cidr(RemoteAddressIP4, "127.0.0.0/8")
| !cidr(RemoteAddressIP4, "169.254.0.0/16")
| ConnectionFlags != "1"  // exclude established/listen-only
| IsTLSPort := RemotePort IN (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096)
| IsHighPort := if(RemotePort > 1024 AND NOT IsTLSPort, true(), false())
| SuspicionScore := case {
    IsHighPort == true: 2;
    IsTLSPort == true: 1;
    default: 0
  }
| SuspicionScore > 0
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, RemoteAddressIP4, RemotePort, IsTLSPort, IsHighPort, SuspicionScore],
    function=count(aid, as=EventCount)
  )
| sort(SuspicionScore, order=desc)

// Approach 2: Cryptographic tool / API invocations (Falcon ProcessRollup2)
// Run as a separate query and correlate:
// #event_simpleName=ProcessRollup2
// | FileName = "openssl.exe"
//   OR CommandLine = /openssl (genrsa|genpkey|req|s_client|s_server)/i
//   OR CommandLine = /RSACryptoServiceProvider|RSACng|RSAParameters|ECDiffieHellman/i
//   OR CommandLine = /New-SelfSignedCertificate|makecert|Export-PfxCertificate|Import-PfxCertificate/i
//   OR (FileName = "certutil.exe" AND CommandLine = /(-exportpfx|-importpfx|-MergePFX)/i)
// | CryptoSuspicion := case {
//     CommandLine = /openssl genrsa|openssl genpkey|RSACryptoServiceProvider|RSACng|ECDiffieHellman|New-SelfSignedCertificate/i: 2;
//     CommandLine = /openssl req|openssl s_client|Export-PfxCertificate|Import-PfxCertificate|-exportpfx|-importpfx/i: 1;
//     default: 0
//   }
// | CryptoSuspicion > 0
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, CryptoSuspicion], function=count(aid, as=EventCount))
// | sort(CryptoSuspicion, order=desc)

high severity medium confidence

CrowdStrike LogScale (CQL) query detecting T1573.002 asymmetric cryptography C2 via two Falcon sensor event types. Approach 1 uses NetworkConnectIP4 events to identify LOLBin and scripting engine processes (cmd, PowerShell, wscript, mshta, regsvr32, rundll32, msbuild, certutil, etc.) connecting to non-RFC1918 public IP addresses on TLS or high non-standard ports, scored by connection type. Approach 2 (provided as comment) uses ProcessRollup2 events to detect cryptographic tool invocations including openssl key generation, .NET RSA/ECDH class usage, and certutil certificate operations. Group-by aggregation reduces noise from repeated beaconing.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon IntelligenceFalcon LogScale (Humio)

Required Tables

#event_simpleName=NetworkConnectIP4#event_simpleName=ProcessRollup2

False Positives & Tuning

Endpoint management agents and software updaters (Falcon sensor updates, OS patch tooling) that use bitsadmin.exe or certutil.exe to download signed packages from CDN endpoints over HTTPS
Legitimate scripted automation running PowerShell on server endpoints that makes regular TLS calls to monitoring APIs, ticketing systems (ServiceNow, PagerDuty), or cloud management planes
Development and build workstations where csc.exe, msbuild.exe, or installutil.exe are invoked by IDE toolchains communicating with artifact repositories or license servers over non-standard TLS ports

Download portable Sigma rule (.yml)

Other platforms for T1573.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1RSA Key Pair Generation via OpenSSL Command Line
Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.
Test 2In-Memory RSA Encryption via PowerShell .NET API
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.
Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)
Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.
Test 4Self-Signed Certificate Generation for Adversary C2 Server
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.

Last updated: 2026-04-21 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Asymmetric Cryptography in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1573.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1573.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox