T1573.002 Splunk · SPL

Detect Asymmetric Cryptography in Splunk

Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.002 Asymmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/002/

SPL Detection Query

Splunk (SPL)
spl 
(`index=wineventlog` sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\regsvr32.exe" OR Image="*\\rundll32.exe" OR Image="*\\msbuild.exe"
   OR Image="*\\csc.exe" OR Image="*\\installutil.exe" OR Image="*\\regasm.exe"
   OR Image="*\\wmic.exe" OR Image="*\\bitsadmin.exe")
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
       OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
       OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
       OR DestinationIp="127.*" OR DestinationIp="169.254.*")
)
OR
(`index=wineventlog` sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\openssl.exe"
   OR CommandLine="*openssl genrsa*" OR CommandLine="*openssl genpkey*"
   OR CommandLine="*openssl req*" OR CommandLine="*openssl s_client*" OR CommandLine="*openssl s_server*"
   OR CommandLine="*RSACryptoServiceProvider*" OR CommandLine="*RSACng*"
   OR CommandLine="*ECDiffieHellman*" OR CommandLine="*RSAParameters*"
   OR CommandLine="*New-SelfSignedCertificate*" OR CommandLine="*makecert*"
   OR CommandLine="*Export-PfxCertificate*" OR CommandLine="*Import-PfxCertificate*"
   OR (CommandLine="*certutil*" AND (CommandLine="*-exportpfx*" OR CommandLine="*-importpfx*" OR CommandLine="*-MergePFX*"))
  )
)
| eval ProcessName=if(isnotnull(Image), mvindex(split(Image, "\\"), -1), null())
| eval EventType=case(
    EventCode="3", "TLS_Network_Connection",
    EventCode="1" AND match(CommandLine, "openssl genrsa|openssl genpkey|RSACryptoServiceProvider|RSACng|New-SelfSignedCertificate|ECDiffieHellman"), "AsymCrypto_Tool_Usage",
    EventCode="1", "Crypto_Cert_Operation",
    true(), "Other"
  )
| eval IsTLSPort=if(DestinationPort IN ("443", "8443", "4443", "8080", "8888", "8081", "9443", "2083", "2087"), 1, 0)
| eval IsHighPort=if(isnotnull(DestinationPort) AND tonumber(DestinationPort) > 1024 AND IsTLSPort=0, 1, 0)
| eval SuspicionScore=case(
    EventType="AsymCrypto_Tool_Usage" AND match(CommandLine, "openssl genrsa|openssl genpkey|RSACryptoServiceProvider|New-SelfSignedCertificate"), 2,
    EventType="TLS_Network_Connection" AND IsHighPort=1, 2,
    EventType="TLS_Network_Connection" AND IsTLSPort=1, 1,
    EventType="Crypto_Cert_Operation", 1,
    true(), 0
  )
| where SuspicionScore > 0
| table _time, host, User, ProcessName, CommandLine, ParentImage, DestinationIp, DestinationPort, EventType, IsTLSPort, IsHighPort, SuspicionScore
| sort - SuspicionScore, - _time
medium severity medium confidence

Detects asymmetric-cryptography-based C2 using two Sysmon event sources. Event ID 3 (Network Connection) catches LOLBin and scripting engine processes establishing outbound connections to external IPs — these processes should not be making encrypted network sessions in a hardened environment. Event ID 1 (Process Create) catches openssl.exe execution, .NET RSACryptoServiceProvider/RSACng API calls, ECDiffieHellman usage, and certificate generation/export operations that may indicate malware infrastructure setup. Suspicion scoring prioritizes high-port connections (score 2) and active RSA key generation (score 2) over standard TLS port connections (score 1).

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationSysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • PowerShell automation and configuration management tools making HTTPS connections to package repositories or management APIs
  • Developer toolchains invoked from cmd.exe or scripting engines that pull packages or binaries over TLS
  • PKI administrators and certificate automation accounts using openssl.exe or New-SelfSignedCertificate for legitimate certificate operations
  • Security scanning agents that spawn processes making TLS connections to their cloud management platforms
  • certutil.exe usage in automated PKI workflows for certificate import/export operations
Download portable Sigma rule (.yml)

Other platforms for T1573.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RSA Key Pair Generation via OpenSSL Command Line

    Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.

  2. Test 2In-Memory RSA Encryption via PowerShell .NET API

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.

  3. Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.

  4. Test 4Self-Signed Certificate Generation for Adversary C2 Server

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.001Symmetric Cryptography

Related Techniques

T1573.001Symmetric CryptographyT1071.001Web ProtocolsT1071Application Layer ProtocolT1572Protocol TunnelingT1090ProxyT1568.002Domain Generation AlgorithmsT1553Subvert Trust ControlsT1001Data ObfuscationT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections