T1102.002: T1102.002
Essential information
- MITRE technique ID
T1102.002- Confidence
- 100/100
- Revoked
- No
- Published
- 14/03/2020 23:34
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Bidirectional Communication
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | command-and-control |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (59)
-
The MITRE Corporation Confidence 100
[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Astaroth relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Bloody Wolf relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-STA-1009 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-STA-1020 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-UNK-1037 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CNC relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cavalry Werewolf relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ClawHavoc relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Coquettte relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Core Werewolf relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (81)
-
STATICPLUGIN usesThe MITRE Corporation Confidence 100
[STATICPLUGIN](https://attack.mitre.org/software/S1238) is a downloader known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2025. [STATICPLUGIN](https://attack.mitre.org/software/S1238) has utilized a valid certificate in order to bypass…
First seen 01/01/1970 · Last seen 16/11/5138 · -
EAGLEDOOR usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PylangGhost usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TelegramRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
WebSocket skimmer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Metamorfo - S0455 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AdaptixC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
aliyun_updater64.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BackDoor.Tunnel.41 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
POISONPLUG.SHADOW usesThe MITRE Corporation Confidence 100
[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GammaWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
tericerit.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
-
20 MITREs 19 Observables
-
AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
-
19 MITREs 3 Malwares 32 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 1 Malware 7 IOCs 7 Observables
-
2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
-
30 MITREs 1 Malware 3 Observables
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
17 MITREs 1 Observable 1 APT
-
AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT
Vulnerabilities (CVE) (44)
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …
- Published
- 03/11/2021
- Modified
- 20/12/2025
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the …
- Attack vector
- NETWORK
- Published
- 11/12/2025
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to …
- Attack vector
- Network
- Published
- 18/11/2024
- Modified
- 21/12/2025
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025