Detect Asymmetric Cryptography in IBM QRadar
Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1573 Encrypted Channel
- Sub-technique
- T1573.002 Asymmetric Cryptography
- Canonical reference
- https://attack.mitre.org/techniques/T1573/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
logsourcename(logsourceid) AS LogSource,
sourceip AS SourceIP,
destinationip AS DestinationIP,
destinationport AS DestinationPort,
username AS UserName,
"ProcessName",
"CommandLine",
"ParentProcessName",
CASE
WHEN destinationport IN (443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096) THEN 'TLS_Standard_Port'
WHEN LONG(destinationport) > 1024 THEN 'TLS_High_Port'
ELSE 'Other'
END AS ConnectionType,
CASE
WHEN "CommandLine" ILIKE '%openssl genrsa%' OR "CommandLine" ILIKE '%openssl genpkey%' OR "CommandLine" ILIKE '%RSACryptoServiceProvider%' OR "CommandLine" ILIKE '%RSACng%' OR "CommandLine" ILIKE '%ECDiffieHellman%' OR "CommandLine" ILIKE '%New-SelfSignedCertificate%' THEN 2
WHEN LONG(destinationport) > 1024 AND destinationport NOT IN (443, 8443, 4443, 8080, 8888, 8081, 9443) THEN 2
WHEN destinationport IN (443, 8443, 4443) THEN 1
ELSE 0
END AS SuspicionScore
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 13, 14)
AND starttime > NOW() - 24 HOURS
AND (
-- Network connection events from suspicious processes (Sysmon Event ID 3)
(
eventid = 3
AND (
"ProcessName" ILIKE '%cmd.exe'
OR "ProcessName" ILIKE '%powershell.exe'
OR "ProcessName" ILIKE '%pwsh.exe'
OR "ProcessName" ILIKE '%wscript.exe'
OR "ProcessName" ILIKE '%cscript.exe'
OR "ProcessName" ILIKE '%mshta.exe'
OR "ProcessName" ILIKE '%regsvr32.exe'
OR "ProcessName" ILIKE '%rundll32.exe'
OR "ProcessName" ILIKE '%msbuild.exe'
OR "ProcessName" ILIKE '%csc.exe'
OR "ProcessName" ILIKE '%installutil.exe'
OR "ProcessName" ILIKE '%regasm.exe'
OR "ProcessName" ILIKE '%wmic.exe'
OR "ProcessName" ILIKE '%bitsadmin.exe'
)
AND destinationip NOT ILIKE '10.%'
AND destinationip NOT ILIKE '172.16.%' AND destinationip NOT ILIKE '172.17.%'
AND destinationip NOT ILIKE '172.18.%' AND destinationip NOT ILIKE '172.19.%'
AND destinationip NOT ILIKE '172.20.%' AND destinationip NOT ILIKE '172.31.%'
AND destinationip NOT ILIKE '192.168.%'
AND destinationip NOT ILIKE '127.%'
AND destinationip NOT ILIKE '169.254.%'
)
OR
-- Cryptographic tool / API invocation (Sysmon Event ID 1)
(
eventid = 1
AND (
"ProcessName" ILIKE '%openssl.exe'
OR "CommandLine" ILIKE '%openssl genrsa%'
OR "CommandLine" ILIKE '%openssl genpkey%'
OR "CommandLine" ILIKE '%openssl req%'
OR "CommandLine" ILIKE '%openssl s_client%'
OR "CommandLine" ILIKE '%openssl s_server%'
OR "CommandLine" ILIKE '%RSACryptoServiceProvider%'
OR "CommandLine" ILIKE '%RSACng%'
OR "CommandLine" ILIKE '%ECDiffieHellman%'
OR "CommandLine" ILIKE '%RSAParameters%'
OR "CommandLine" ILIKE '%New-SelfSignedCertificate%'
OR "CommandLine" ILIKE '%makecert%'
OR "CommandLine" ILIKE '%Export-PfxCertificate%'
OR "CommandLine" ILIKE '%Import-PfxCertificate%'
OR ("ProcessName" ILIKE '%certutil.exe' AND (
"CommandLine" ILIKE '%-exportpfx%'
OR "CommandLine" ILIKE '%-importpfx%'
OR "CommandLine" ILIKE '%-MergePFX%'
))
)
)
)
AND SuspicionScore > 0
ORDER BY SuspicionScore DESC, starttime DESCQRadar AQL query detecting asymmetric cryptography C2 indicators from Windows Sysmon event logs. Identifies LOLBin and scripting engine processes (PowerShell, cmd, wscript, mshta, regsvr32, rundll32, etc.) making outbound non-RFC1918 TLS connections (EventID 3), as well as cryptographic tool invocations including openssl key generation, .NET RSA/ECDH API usage, and certutil certificate operations (EventID 1). Assigns a suspicion score to prioritize findings.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment systems executing msiexec or msbuild over HTTPS to internal or external package repositories as part of automated patch management
- Helpdesk and IT administration tools (e.g., remote support agents, SCCM client) that use certutil to manage certificate stores during routine maintenance windows
- Penetration testing or red team exercises on systems where such activity is expected and authorized — correlate with change management records
Other platforms for T1573.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RSA Key Pair Generation via OpenSSL Command Line
Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.
- Test 2In-Memory RSA Encryption via PowerShell .NET API
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.
- Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)
Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.
- Test 4Self-Signed Certificate Generation for Adversary C2 Server
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.
References (14)
- https://attack.mitre.org/techniques/T1573/002/
- http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
- https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://github.com/salesforce/ja3
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/
- https://securelist.com/apt10-sophisticated-multi-layered-loader-rosneft/101524/
- https://www.blackberry.com/us/en/solutions/endpoint-security/cylanceprotect/research/2020/costaricto
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsacryptoserviceprovider
- https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573.002/T1573.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
Unlock Pro Content
Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.