title: Asymmetric Cryptography (T1573.002)
id: df00tech-t1573-002
status: experimental
description: "Adversaries may employ asymmetric encryption algorithms such as RSA, ECDH, or Diffie-Hellman to conceal command and control (C2) traffic. Asymmetric cryptography uses a keypair: a public key for encryption and a private key for decryption, ensuring only the intended recipient can read the data. In practice, most C2 frameworks (Cobalt Strike, Sliver, Havoc, AsyncRAT, Metasploit) use TLS for all communications, leveraging asymmetric cryptography for key exchange before switching to symmetric encryption for the bulk session data. Real-world malware families using this technique include SombRAT (SSL-encrypted C2), LunarWeb (RSA-4096 encrypted commands), SodaMaster (hardcoded RSA key for C2 traffic), ComRAT (RSA+AES for Gmail C2 channel), and Cyclops Blink (OpenSSL RSA public key encrypting per-message keys under TLS). Detection must focus on behavioral indicators: LOLBin processes initiating TLS connections, self-signed or anomalous certificate attributes, TLS on non-standard ports, regular beaconing intervals from non-browser processes, and use of cryptographic tools (openssl, certutil, .NET RSA APIs) in unexpected contexts."
references:
  - https://attack.mitre.org/techniques/T1573/002/
  - https://df00tech.com/detections/T1573.002
author: df00tech
date: 2026/04/21
tags:
  - attack.t1573.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate PowerShell automation scripts (SCCM, Intune, Ansible WinRM) making HTTPS connections for patch management, configuration management, or telemetry reporting"
  - "Developer toolchains (npm, pip, cargo, dotnet restore) invoked from cmd.exe or PowerShell to fetch packages over TLS from public registries"
  - "PKI administrators or certificate automation scripts using openssl.exe, certutil.exe, or New-SelfSignedCertificate for legitimate certificate lifecycle management"
  - "Security scanning agents (Qualys, Tenable, Rapid7) and EDR components that spawn scripting processes making TLS connections to their management infrastructure"
  - "IT remote management tools (ConfigMgr, Puppet, Chef) executing PowerShell or cmd.exe with outbound HTTPS connections to management servers"
level: medium