T1041 Exfiltration Over C2 Channel Mappings

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

View in MITRE ATT&CK®

Intel vPro Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1041 Exfiltration Over C2 Channel
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of exfiltration over Command and Control (C2) channels. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Exfiltration over C2 involves adversaries using a Command and Control (C2) infrastructure to stealthily send sensitive data from compromised systems to an external server. This type of data exfiltration is often encrypted or obfuscated to avoid detection, and it may occur through various C2 protocols such as HTTP, DNS, or custom protocols. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors that could indicate data being siphoned through C2 channels. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors such as unauthorized data transfers, unusual network connections, or attempts to evade security controls during data exfiltration via C2 channels, providing proactive defense against these covert data theft techniques.
References

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability primary_impact T1041 Exfiltration Over C2 Channel
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability primary_impact T1041 Exfiltration Over C2 Channel
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
CVE-2018-4878 Adobe Flash Player Use-After-Free Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
Comments
The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.
References
CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
Comments
CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
References
CVE-2023-38831 RARLAB WinRAR Code Execution Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
Comments
CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
References
CVE-2023-5631 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
Comments
This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
References