Esc
Asymmetric Cryptography - T1573.002
(ATT&CK® Technique)
Definition
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1573002["Asymmetric Cryptography"] --> |may-transfer| CertificateFile["Certificate File"]; class T1573002 OffensiveTechniqueNode; class CertificateFile ArtifactNode; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; click T1573002 href "/offensive-technique/attack/T1573.002/"; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; T1573002["Asymmetric Cryptography"] --> |creates| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573002 OffensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; click T1573002 href "/offensive-technique/attack/T1573.002/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; T1573002["Asymmetric Cryptography"] --> |produces| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573002 OffensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; click T1573002 href "/offensive-technique/attack/T1573.002/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; CertificateAnalysis["Certificate Analysis"] --> | analyzes | CertificateFile["Certificate File"]; CertificateAnalysis["Certificate Analysis"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class CertificateAnalysis DefensiveTechniqueNode; class CertificateFile ArtifactNode; click CertificateAnalysis href "/technique/d3f:CertificateAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; RelayPatternAnalysis["Relay Pattern Analysis"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class RelayPatternAnalysis DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; DecoyFile["Decoy File"] --> | spoofs | CertificateFile["Certificate File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1573002["Asymmetric Cryptography"] ; class DecoyFile DefensiveTechniqueNode; class CertificateFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | CertificateFile["Certificate File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class CertificateFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | CertificateFile["Certificate File"]; FileEviction["File Eviction"] -.-> | may-evict | T1573002["Asymmetric Cryptography"] ; class FileEviction DefensiveTechniqueNode; class CertificateFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] --> | encrypts | CertificateFile["Certificate File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1573002["Asymmetric Cryptography"] ; class FileEncryption DefensiveTechniqueNode; class CertificateFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; LocalFilePermissions["Local File Permissions"] --> | restricts | CertificateFile["Certificate File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class LocalFilePermissions DefensiveTechniqueNode; class CertificateFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ContentQuarantine["Content Quarantine"] --> | quarantines | CertificateFile["Certificate File"]; ContentQuarantine["Content Quarantine"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class ContentQuarantine DefensiveTechniqueNode; class CertificateFile ArtifactNode; click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] --> | modifies | CertificateFile["Certificate File"]; ContentModification["Content Modification"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class ContentModification DefensiveTechniqueNode; class CertificateFile ArtifactNode; click ContentModification href "/technique/d3f:ContentModification"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreFile["Restore File"] --> | restores | CertificateFile["Certificate File"]; RestoreFile["Restore File"] -.-> | may-restore | T1573002["Asymmetric Cryptography"] ; class RestoreFile DefensiveTechniqueNode; class CertificateFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; ContentFiltering["Content Filtering"] --> | filters | CertificateFile["Certificate File"]; ContentFiltering["Content Filtering"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class ContentFiltering DefensiveTechniqueNode; class CertificateFile ArtifactNode; click ContentFiltering href "/technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] --> | analyzes | CertificateFile["Certificate File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1573002["Asymmetric Cryptography"] ; class FileAnalysis DefensiveTechniqueNode; class CertificateFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | CertificateFile["Certificate File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class CertificateFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; OutboundTrafficFiltering["Outbound Traffic Filtering"] --> | filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; OutboundTrafficFiltering["Outbound Traffic Filtering"] -.-> | may-isolate | T1573002["Asymmetric Cryptography"] ; class OutboundTrafficFiltering DefensiveTechniqueNode; class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";