T1573.002 Sumo Logic CSE · Sumo

Detect Asymmetric Cryptography in Sumo Logic CSE

Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.002 Asymmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Approach 1: LOLBin processes making outbound TLS/non-RFC1918 connections (Sysmon EventID 3)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| parse xml "<Event><System><EventID>*</EventID>*</System><EventData>*</EventData></Event>" as EventID, SystemData, EventData nodrop
| where EventID = "3"
| parse field=EventData "<Data Name='Image'>*</Data>" as ProcessImage nodrop
| parse field=EventData "<Data Name='DestinationIp'>*</Data>" as DestinationIp nodrop
| parse field=EventData "<Data Name='DestinationPort'>*</Data>" as DestinationPort nodrop
| parse field=EventData "<Data Name='User'>*</Data>" as UserName nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| where (
    ProcessImage matches "*\\cmd.exe" OR ProcessImage matches "*\\powershell.exe" OR
    ProcessImage matches "*\\pwsh.exe" OR ProcessImage matches "*\\wscript.exe" OR
    ProcessImage matches "*\\cscript.exe" OR ProcessImage matches "*\\mshta.exe" OR
    ProcessImage matches "*\\regsvr32.exe" OR ProcessImage matches "*\\rundll32.exe" OR
    ProcessImage matches "*\\msbuild.exe" OR ProcessImage matches "*\\csc.exe" OR
    ProcessImage matches "*\\installutil.exe" OR ProcessImage matches "*\\regasm.exe" OR
    ProcessImage matches "*\\wmic.exe" OR ProcessImage matches "*\\bitsadmin.exe"
  )
| where !( DestinationIp matches "10.*" OR DestinationIp matches "172.16.*" OR
           DestinationIp matches "172.17.*" OR DestinationIp matches "172.18.*" OR
           DestinationIp matches "172.19.*" OR DestinationIp matches "172.20.*" OR
           DestinationIp matches "172.31.*" OR DestinationIp matches "192.168.*" OR
           DestinationIp matches "127.*" OR DestinationIp matches "169.254.*" )
| if (DestinationPort IN ("443","8443","4443","8080","8888","8081","9443","2083","2087","2096"), 1, 0) as IsTLSPort
| if (tonumber(DestinationPort) > 1024 AND IsTLSPort = 0, 1, 0) as IsHighPort
| if (IsHighPort = 1, 2, if (IsTLSPort = 1, 1, 0)) as SuspicionScore
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, UserName, ProcessImage, CommandLine, ParentImage, DestinationIp, DestinationPort, IsTLSPort, IsHighPort, SuspicionScore

// Approach 2: Cryptographic tool and API invocation (Sysmon EventID 1)
// Run separately or union in a scheduled search:
// (_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
// | parse xml ...
// | where EventID = "1"
// | where (
//     ProcessImage matches "*\\openssl.exe"
//     OR CommandLine matches "*openssl genrsa*" OR CommandLine matches "*openssl genpkey*"
//     OR CommandLine matches "*openssl req*" OR CommandLine matches "*openssl s_client*"
//     OR CommandLine matches "*RSACryptoServiceProvider*" OR CommandLine matches "*RSACng*"
//     OR CommandLine matches "*ECDiffieHellman*" OR CommandLine matches "*New-SelfSignedCertificate*"
//     OR CommandLine matches "*Export-PfxCertificate*" OR CommandLine matches "*Import-PfxCertificate*"
//     OR (ProcessImage matches "*\\certutil.exe" AND (
//       CommandLine matches "*-exportpfx*" OR CommandLine matches "*-importpfx*" OR CommandLine matches "*-MergePFX*"
//     ))
//   )

| sort by SuspicionScore desc, _messageTime desc
| count by _sourceHost, UserName, ProcessImage, CommandLine, ParentImage, DestinationIp, DestinationPort, SuspicionScore
high severity medium confidence

Sumo Logic query detecting T1573.002 asymmetric cryptography C2 from Sysmon event logs. Approach 1 identifies LOLBin and scripting engine processes (PowerShell, cmd, wscript, mshta, regsvr32, rundll32, etc.) establishing outbound connections to non-RFC1918 addresses via Sysmon EventID 3, with scoring based on port type. Approach 2 (provided as comment for union) covers cryptographic tool/API invocations including openssl commands, .NET RSA/ECDH APIs, and certutil certificate operations via Sysmon EventID 1.

Data Sources

Sumo Logic CIPWindows Sysmon via Sumo Logic CollectorSumo Logic CSE (Cloud SIEM Enterprise)

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=WinEventLog/Sysmon

False Positives & Tuning

  • Enterprise certificate lifecycle management tools (DigiCert, Entrust agents) invoking certutil for automated certificate enrollment or renewal on managed workstations
  • PowerShell-based automation scripts in DevOps environments connecting to Azure or AWS API endpoints over TLS 443 from administrative workstations
  • Software build servers running msbuild.exe or csc.exe that fetch dependencies or push artifacts over HTTPS as part of legitimate CI/CD pipeline activity
Download portable Sigma rule (.yml)

Other platforms for T1573.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RSA Key Pair Generation via OpenSSL Command Line

    Expected signal: Sysmon Event ID 1 (Process Create): openssl.exe with CommandLine containing 'genrsa -out' and 'rsa -in ... -pubout'. Sysmon Event ID 11 (File Create): df00tech_test_priv.pem and df00tech_test_pub.pem created in %TEMP%. Security Event ID 4688 if process command line auditing is enabled via GPO.

  2. Test 2In-Memory RSA Encryption via PowerShell .NET API

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'RSACryptoServiceProvider'. PowerShell ScriptBlock Log Event ID 4104 (Microsoft-Windows-PowerShell/Operational) capturing the full RSA key generation and encrypt/decrypt code in plaintext. No network connections expected — this test exercises the crypto API only.

  3. Test 3Outbound TLS Handshake from LOLBin Process Chain (cmd.exe -> PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning powershell.exe — parent-child relationship captured. Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 1.1.1.1:443. PowerShell ScriptBlock Log Event ID 4104 capturing the SslStream and AuthenticateAsClient code showing TLS setup. The cmd.exe → powershell.exe → external TLS connection chain is the key indicator.

  4. Test 4Self-Signed Certificate Generation for Adversary C2 Server

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'New-SelfSignedCertificate' and 'RSA'. Sysmon Event ID 11 (File Create): df00tech_c2cert.pfx in %TEMP%. Sysmon Event ID 12/13 (Registry Create/Set): certificate installation to Cert:\CurrentUser\My store captured as registry operations under HKCU\Software\Microsoft\SystemCertificates. PowerShell ScriptBlock Log Event ID 4104 with full certificate generation and export code.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.001Symmetric Cryptography

Related Techniques

T1573.001Symmetric CryptographyT1071.001Web ProtocolsT1071Application Layer ProtocolT1572Protocol TunnelingT1090ProxyT1568.002Domain Generation AlgorithmsT1553Subvert Trust ControlsT1001Data ObfuscationT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections