T1102.002: T1102.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/03/2020 23:34 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1102.002
Confidence: 100/100
Revoked: No
Published: 14/03/2020 23:34
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Bidirectional Communication

Platforms

windows macos linux ESXi

Description

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1102.002)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Gamaredon Group related IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ghostwriter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gootloader related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HEXANE related LyceumSiamesekitten

The MITRE Corporation Confidence 100

[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Harvester related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework related Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Key Group related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Koske related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lampion related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LapDogs related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Latrodectus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

49–59 of 59

CobaltStrike uses

Family
RIFLESPINE uses

Family
filecoauthx86.exe uses

Family
Voldemort uses

Family
CryptoAITools uses

Family
XenoRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GolangGhost uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToolShell uses

Family
Lumma uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Downloader1 uses

Family
PacketLab uses

Family
ComRAT uses

Family The MITRE Corporation Confidence 100

[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

25–36 of 81

KimJongRAT Continues to Evolve by Leveraging LOTS related

AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
From Token Bingo to MAX Takeover: Kali365 Operator … related

AlienVault Confidence 100 20 MITREs 1 Malware 7 IOCs 7 Observables
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT
OceanLotus suspected of distributing ZiChatBot malware via wheel … related

AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT
Harvester: APT Group Expands Toolset With New GoGra … related

AlienVault Confidence 100 15 MITREs 2 Malwares 5 IOCs 5 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-67779 targets

7.5 High

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service …

Attack vector: NETWORK
Published: 12/12/2025
Modified: 21/12/2025

Modified

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-34960 targets

9.8 Critical

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a …

Attack vector: NETWORK
Published: 01/08/2023
Modified: 21/12/2025

CVE-2024-42009 KEV targets

9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector: Network
Published: 09/06/2025
Modified: 21/12/2025

Received

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2015-1548 targets

5.0 Medium

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …

Published: 10/02/2015
Modified: 07/05/2026

CWE-119

CVE-2025-55183 targets

5.3 Medium

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 4

1–12 of 44

T1102 subtechnique-of

Web Service MITRE

Contact About Legal notice Privacy policy Terms of use