Esc
Asymmetric Cryptography - T1573.002
(ATT&CK® Technique)
Definition
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1573002["Asymmetric Cryptography"] --> |may-transfer| CertificateFile["Certificate File"]; class T1573002 OffensiveTechniqueNode;
class CertificateFile ArtifactNode; click CertificateFile href "/dao/artifact/d3f:CertificateFile";
click T1573002 href "/offensive-technique/attack/T1573.002/"; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; T1573002["Asymmetric Cryptography"] --> |creates| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573002 OffensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";
click T1573002 href "/offensive-technique/attack/T1573.002/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; T1573002["Asymmetric Cryptography"] --> |produces| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573002 OffensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";
click T1573002 href "/offensive-technique/attack/T1573.002/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; DecoyFile["Decoy File"] -->
| spoofs | CertificateFile["Certificate File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1573002["Asymmetric Cryptography"] ;
class DecoyFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; CertificateAnalysis["Certificate Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
CertificateAnalysis["Certificate Analysis"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class CertificateAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click CertificateAnalysis href "/technique/d3f:CertificateAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CertificateFile["Certificate File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | CertificateFile["Certificate File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1573002["Asymmetric Cryptography"] ;
class FileEncryption DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEviction["File Eviction"] -->
| deletes | CertificateFile["Certificate File"];
FileEviction["File Eviction"] -.->
| may-evict | T1573002["Asymmetric Cryptography"] ;
class FileEviction DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CertificateFile["Certificate File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1573002["Asymmetric Cryptography"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1573002["Asymmetric Cryptography"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1573002["Asymmetric Cryptography"] ;
class FileAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RestoreFile["Restore File"] -->
| restores | CertificateFile["Certificate File"];
RestoreFile["Restore File"] -.->
| may-restore | T1573002["Asymmetric Cryptography"] ;
class RestoreFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1573002["Asymmetric Cryptography"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CertificateFile["Certificate File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1573002["Asymmetric Cryptography"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";