T1573.002: T1573.002

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/03/2020 16:48 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1573.002
Confidence: 100/100
Revoked: No
Published: 16/03/2020 16:48
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Asymmetric Cryptography

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

SEI SSL Inspection Risks
SANS Decrypting SSL
mitre-attack (T1573.002)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (51)

LegionLoader related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound related COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Medusa Group related

The MITRE Corporation Confidence 100

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MimiStick related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater related Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
PXA Stealer group related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedEcho related

The MITRE Corporation Confidence 100

[RedEcho](https://attack.mitre.org/groups/G1042) is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. [RedEcho](https://attack.mitre.org/groups/G1042) overlaps with various other PRC-linked threat groups, such as…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RudePanda related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2541 related

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA577 related

The MITRE Corporation Confidence 100

[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

37–48 of 51

BOLDMOVE uses
BellaCiao uses

Family
GrimPlant uses

Family
Banshee uses

Family
Tsunami uses

Family
TinyTurla-NG uses
Penquin uses
Sliver uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Caminho Loader uses

Family
SodaMaster uses

Family The MITRE Corporation Confidence 100

[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

First seen 01/01/1970 · Last seen 16/11/5138 ·
REPTILE uses

Family The MITRE Corporation Confidence 100

[REPTILE](https://attack.mitre.org/software/S1219) is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.(Citation: Google Cloud Mandiant UNC3886 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
GolangGhost uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 77

A Djinn in the Machine: TaskWeaver's Node.js Intrusion … related

AlienVault Confidence 100 1 CVE 19 MITREs 2 Malwares 4 IOCs 2 Observables
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Targeted espionage against Cambodian government entities related

AlienVault Confidence 100 18 MITREs 3 Malwares 8 IOCs 8 Observables 1 APT
Technical Analysis of MLTBackdoor related

AlienVault Confidence 100 19 MITREs 1 Malware 34 IOCs 34 Observables
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Latest PyPi Compromise related

AlienVault Confidence 100 20 MITREs 3 Malwares 9 IOCs 9 Observables 1 APT
TanStack npm Packages Compromised in Ongoing Supply-Chain Attack related

AlienVault Confidence 100 18 MITREs 3 Malwares 4 IOCs 4 Observables 1 APT
Analysis of Attack Activities Using SSH+TOR Tunnels to … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Attack Activity Analysis Using SSH+TOR Tunnels for Covert … related

19 MITREs 10 Observables 1 APT
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (27)

CVE-2021-26858 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2025-3935 KEV targets

8.1 High

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Received

CVE-2017-5638 KEV targets

9.8 Critical

Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 11/03/2017
Modified: 22/04/2026

CWE-755

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2010-4398

targets

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2021-27065 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

← Previous

Page / 3

13–24 of 27

T1573 subtechnique-of

Encrypted Channel MITRE

Tool (2)

Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…
Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…

Course Of Action (1)

SSL/TLS Inspection mitigates

Campaign (1)

C0021 uses

Contact About Legal notice Privacy policy Terms of use