Detect Asymmetric Cryptography in Microsoft Sentinel
Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1573 Encrypted Channel
- Sub-technique
- T1573.002 Asymmetric Cryptography
- Canonical reference
- https://attack.mitre.org/techniques/T1573/002/
KQL Detection Query
// T1573.002 — Asymmetric Cryptography C2 Detection
// Approach 1: LOLBin / scripting engine processes making outbound TLS/encrypted connections
let SuspiciousInitiators = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe", "csc.exe",
"installutil.exe", "regasm.exe", "wmic.exe", "bitsadmin.exe", "certutil.exe"
]);
let KnownTLSPorts = dynamic([443, 8443, 4443, 8080, 8888, 8081, 9443, 2083, 2087, 2096]);
let SuspiciousNetworkC2 = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (SuspiciousInitiators)
| extend IsTLSPort = RemotePort in (KnownTLSPorts)
| extend IsHighNonStandardPort = RemotePort > 1024 and RemotePort !in (KnownTLSPorts)
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RemoteIP, RemotePort, RemoteUrl,
IsTLSPort, IsHighNonStandardPort,
DetectionSource = "NetworkC2";
// Approach 2: Cryptographic tool and API usage — key generation, certificate operations
let CryptoToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "openssl.exe"
or ProcessCommandLine has_any (
"openssl genrsa", "openssl genpkey", "openssl req", "openssl s_client", "openssl s_server",
"RSACryptoServiceProvider", "RSACng", "RSAParameters", "ECDiffieHellman",
"New-SelfSignedCertificate", "makecert",
"Export-PfxCertificate", "Import-PfxCertificate"
)
or (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-exportpfx", "-importpfx", "-MergePFX"))
| project Timestamp, DeviceName, AccountName,
FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionSource = "CryptoTool";
// Union both detections
SuspiciousNetworkC2
| union (CryptoToolUsage | extend RemoteIP="", RemotePort=0, RemoteUrl="", IsTLSPort=false, IsHighNonStandardPort=false)
| sort by Timestamp descDetects potential asymmetric-cryptography-based C2 through two complementary approaches: (1) LOLBin and scripting engine processes (cmd.exe, PowerShell, mshta.exe, rundll32.exe, etc.) making outbound connections to public IPs on TLS ports or high non-standard ports — these processes should not be initiating encrypted network sessions in a hardened environment; and (2) execution of asymmetric cryptographic tools and .NET API calls (openssl genrsa, RSACryptoServiceProvider, New-SelfSignedCertificate) that indicate key pair generation or certificate operations supporting malware C2 infrastructure. Uses DeviceNetworkEvents and DeviceProcessEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PowerShell automation scripts (SCCM, Intune, Ansible WinRM) making HTTPS connections for patch management, configuration management, or telemetry reporting
- Developer toolchains (npm, pip, cargo, dotnet restore) invoked from cmd.exe or PowerShell to fetch packages over TLS from public registries
- PKI administrators or certificate automation scripts using openssl.exe, certutil.exe, or New-SelfSignedCertificate for legitimate certificate lifecycle management
- Security scanning agents (Qualys, Tenable, Rapid7) and EDR components that spawn scripting processes making TLS connections to their management infrastructure
- IT remote management tools (ConfigMgr, Puppet, Chef) executing PowerShell or cmd.exe with outbound HTTPS connections to management servers
Other platforms for T1573.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RSA Key Pair Generation via OpenSSL Command Line
Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.
- Test 2In-Memory RSA Encryption via PowerShell .NET API
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.
- Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)
Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.
- Test 4Self-Signed Certificate Generation for Adversary C2 Server
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.
References (14)
- https://attack.mitre.org/techniques/T1573/002/
- http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
- https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://github.com/salesforce/ja3
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/
- https://securelist.com/apt10-sophisticated-multi-layered-loader-rosneft/101524/
- https://www.blackberry.com/us/en/solutions/endpoint-security/cylanceprotect/research/2020/costaricto
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsacryptoserviceprovider
- https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573.002/T1573.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
Unlock Pro Content
Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.