T1573.002: T1573.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/03/2020 16:48 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1573.002
Confidence: 100/100
Revoked: No
Published: 16/03/2020 16:48
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Asymmetric Cryptography

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

SEI SSL Inspection Risks
SANS Decrypting SSL
mitre-attack (T1573.002)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (51)

Tropic Trooper uses Pirate PandaKeyBoy

The MITRE Corporation Confidence 100

[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BladedFeline uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SmartApeSG uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Estries uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qbot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TaxOff uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ghostwriter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedCurl uses

The MITRE Corporation Confidence 100

[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Corlys uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 51

BOLDMOVE uses
BellaCiao uses

Family
GrimPlant uses

Family
Banshee uses

Family
Tsunami uses

Family
TinyTurla-NG uses
Penquin uses
Sliver uses

Family
Caminho Loader uses

Family
SodaMaster uses
REPTILE uses

Family
GolangGhost uses

Family

← Previous

Page / 7

1–12 of 77

CVE-2026-39987 update: How attackers weaponized marimo to deploy … related

2 CVEs 21 MITREs 2 Malwares 12 Observables
A new Mac stealer targeting $10K+ crypto wallets related

AlienVault Confidence 100 20 MITREs 5 Malwares 15 IOCs 15 Observables 1 APT
GlassWorm attack installs fake browser extension for surveillance related

18 MITREs 1 Malware 1 Observable 1 APT
How to uncover a Horabot campaign and detect … related

19 MITREs 5 Malwares 22 Observables 1 APT
Investigating a new Click-fix variant related

13 MITREs 1 Malware 6 Observables
PlugX Meeting Invitation via MSBuild and GDATA related

9 MITREs 2 Malwares 8 Observables
Abusing Windows File Explorer and WebDAV for Malware … related

8 MITREs 3 Malwares 4 Observables
Danger Bulletin: Cyberattacks Against Ukraine and EU Countries … related

1 CVE 12 MITREs 1 Malware 34 Observables 1 APT
Campaign uses ClickFix page to push NetSupport RAT related

7 MITREs 1 Malware 3 Observables 1 APT
Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor related

12 MITREs 1 APT
New Loader Executing TorNet and PureHVNC related

4 MITREs 2 Malwares
IIS servers owned by RudePanda like it's 2003 related

16 MITREs 3 Malwares 36 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (27)

CVE-2023-23376

targets

CVE-2015-1548 targets

5.0 Medium

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …

Published: 10/02/2015
Modified: 07/05/2026

CWE-119

CVE-2026-21509 KEV targets

7.8 High

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could …

Attack vector: LOCAL
Published: 26/01/2026
Modified: 27/03/2026

Analyzed

CVE-2019-16098 targets

7.8 High

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, …

Attack vector: LOCAL
Published: 11/09/2019
Modified: 20/12/2025

CVE-2023-48788 KEV targets

9.8 Critical

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Attack vector: Network
Published: 25/03/2024
Modified: 21/12/2025

CVE-2026-39987 KEV targets

9.3 Critical

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication …

Attack vector: Network
Complexity: Low
Published: 09/04/2026
Modified: 29/04/2026

CWE-306 Received

CVE-2024-30051 targets

7.8 High

Windows DWM Core Library Elevation of Privilege Vulnerability

Published: 14/05/2024
Modified: 14/05/2024

Awaiting Analysis

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2022-3236 KEV targets

9.8 Critical

A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Attack vector: Network
Published: 23/09/2022
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2025-12480 KEV targets

9.1 Critical

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after …

Attack vector: Network
Published: 12/11/2025
Modified: 21/12/2025

Analyzed

CVE-2025-3248 targets

9.8 Critical

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted …

Published: 07/04/2025
Modified: 07/04/2025

Received

← Previous

Page / 3

1–12 of 27

T1573 subtechnique-of

Encrypted Channel MITRE

Tool (2)

Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…
Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…

Course Of Action (1)

SSL/TLS Inspection mitigates

Campaign (1)

C0021 uses

Contact About Legal notice Privacy policy Terms of use