T1041 Exfiltration Over C2 Channel Mappings

Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Chronicle is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral

Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.