MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Command and Control/ T1102.002

T1102.002Bidirectional Communication

T1102.002 — Bidirectional Communication is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 23 detection use cases covering it and 16 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

23Use cases

16Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1102 · Web Service

Use cases covering this technique (23)

[WEEKLY] Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains Internal install · alerting DSPDDCSCW [WEEKLY] Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start Internal c2 · alerting DSΣPDD Potential Telegram API Request Via CommandLine ESCU actions · hunting P Windows DNS Query Request by Telegram Bot API ESCU actions · hunting P [LLM] Miasma worm GitHub commit-search C2 magic strings on command line or script Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound JSON-RPC or LLM-API egress from network appliance / edge device Bespoke c2 · alerting DSΣPDD [LLM] Hades C2: GitHub commit search for campaign markers TheBeautifulSnadsOfTime / firedalazer Bespoke c2 · alerting DSΣPDDCS [LLM] Public GitHub repo creation matching Miasma 'adjective-creature-N' exfil pattern Bespoke actions · hunting DSPDD [LLM] EchoCreep Discord API beacon from non-browser process (Webworm 2025) Bespoke c2 · hunting DSΣPDDCS [LLM] GraphWorm OneDrive /createUploadSession C2 from non-Office process Bespoke c2 · hunting DSΣPDDCS [LLM] Mini Shai-Hulud C2 backchannel: python polling GitHub commit search for 'firedalazer' Bespoke c2 · alerting DSPDDCS [LLM] BirdCall RokRAT cloud-storage C2 beacon (Dropbox/pCloud) from non-browser process Bespoke c2 · hunting DSPDDCS [LLM] Mini Shai-Hulud 'OhNoWhatsGoingOnWithGitHub' dead-drop keyword in outbound URL Bespoke c2 · alerting DSΣPDD [LLM] Svix Ingest webhook exfiltration relay (src_3387PLMB2uhXOBe3Q8sHu) Bespoke exfiltration · alerting DSΣPDDCS [LLM] Non-browser process posting to Slack Web API (LaxGopher C2) Bespoke c2 · hunting DSPDDCS [LLM] Non-browser process posting to Discord API (RatGopher C2) Bespoke c2 · hunting DSPDDCS [LLM] Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) Bespoke c2 · hunting DSPDDCS [LLM] DNS/HTTP egress to CanisterWorm ICP canister C2 (tdtqy-oyaaa-aaaae-af2dq-cai) Bespoke c2 · alerting DSΣPDDCS [LLM] BeardShell C2: outbound to Icedrive cloud-storage API as non-browser process Bespoke c2 · alerting DSΣPDDCS [LLM] Covenant C2: outbound to Filen cloud-storage API as non-browser process Bespoke c2 · alerting DSΣPDDCS [LLM] G_Wagon C2 beacon: node.exe or python.exe egress to Appwrite storage buckets Bespoke c2 · alerting DSΣPDDCS [LLM] Bun/Node bursty PUT to api.github.com /contents from infected host (Sha1-Hulud exfil) Bespoke actions · alerting DSPDDCS [LLM] SnakeStealer Telegram Bot Exfiltration via api.telegram.org from Non-Telegram Process Bespoke c2 · alerting DSΣPDDCS

Articles citing this technique (16)

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51

high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90

crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139

crit Webworm: New burrowing techniques art-240

crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345

high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346

crit GopherWhisper: A burrow full of malware art-362

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444

crit Sednit reloaded: Back in the trenches art-477

high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604

crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642

high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653

crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736