T1041 Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1041 Exfiltration Over C2 Channel
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.IR-03.01 Alternative resilience mechanisms Mitigates T1041 Exfiltration Over C2 Channel
    Comments
    This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
    References
      DE.CM-01.03 Unauthorized network connections and data transfers Mitigates T1041 Exfiltration Over C2 Channel
      Comments
      This diagnostic statement provides protection from Exfiltration Over C2 Channel by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
      References
        PR.DS-01.01 Data-at-rest protection Mitigates T1041 Exfiltration Over C2 Channel
        Comments
        This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
        References
          PR.DS-01.02 Data loss prevention Mitigates T1041 Exfiltration Over C2 Channel
          Comments
          The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
          References
            PR.DS-10.01 Data-in-use protection Mitigates T1041 Exfiltration Over C2 Channel
            Comments
            This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
            References
              PR.IR-04.01 Utilization monitoring Mitigates T1041 Exfiltration Over C2 Channel
              Comments
              This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
              References
                PR.IR-01.03 Network communications integrity and availability Mitigates T1041 Exfiltration Over C2 Channel
                Comments
                This diagnostic statement protects against Exfiltration Over C2 Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CA-07 Continuous Monitoring mitigates T1041 Exfiltration Over C2 Channel
                  SA-09 External System Services mitigates T1041 Exfiltration Over C2 Channel
                  SC-31 Covert Channel Analysis mitigates T1041 Exfiltration Over C2 Channel
                  SR-04 Provenance mitigates T1041 Exfiltration Over C2 Channel
                  SC-13 Cryptographic Protection mitigates T1041 Exfiltration Over C2 Channel
                  AC-23 Data Mining Protection mitigates T1041 Exfiltration Over C2 Channel
                  CA-03 Information Exchange mitigates T1041 Exfiltration Over C2 Channel
                  SC-28 Protection of Information at Rest mitigates T1041 Exfiltration Over C2 Channel
                  SI-03 Malicious Code Protection mitigates T1041 Exfiltration Over C2 Channel
                  AC-16 Security and Privacy Attributes mitigates T1041 Exfiltration Over C2 Channel
                  AC-20 Use of External Systems mitigates T1041 Exfiltration Over C2 Channel
                  SA-08 Security and Privacy Engineering Principles mitigates T1041 Exfiltration Over C2 Channel
                  SI-04 System Monitoring mitigates T1041 Exfiltration Over C2 Channel
                  AC-02 Account Management mitigates T1041 Exfiltration Over C2 Channel
                  AC-03 Access Enforcement mitigates T1041 Exfiltration Over C2 Channel
                  AC-04 Information Flow Enforcement mitigates T1041 Exfiltration Over C2 Channel
                  AC-06 Least Privilege mitigates T1041 Exfiltration Over C2 Channel
                  SC-07 Boundary Protection mitigates T1041 Exfiltration Over C2 Channel

                  Known Exploited Vulnerabilities Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CVE-2018-4878 Adobe Flash Player Use-After-Free Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.
                  References
                  CVE-2025-33053 Microsoft Windows External Control of File Name or Path Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.
                  References
                  CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.
                  References
                  CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
                  References
                  CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network by scanning for other devices, erase logs to avoid detection, and exfiltrate data over C2.
                  References
                  CVE-2023-38831 RARLAB WinRAR Code Execution Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
                  References
                  CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability primary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
                  References
                  CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
                  References
                  CVE-2023-5631 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
                  References
                  CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser
                  References
                  CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability primary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
                  References
                  CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability secondary_impact T1041 Exfiltration Over C2 Channel
                  Comments
                  Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server. That data can then be exfiltrated.
                  References

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1041 Exfiltration Over C2 Channel
                  attribute.confidentiality.data_disclosure None related-to T1041 Exfiltration Over C2 Channel

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  microsoft_sentinel Microsoft Sentinel technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.
                  References
                  azure_dns_analytics Azure DNS Analytics technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
                  References

                  GCP Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  cloud_ids Cloud IDS technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
                  References
                  cloud_ngfw Cloud Next-Generation Firewall (NGFW)_ technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.
                  References
                  google_secops Google Security Operations technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  Google Security Ops is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral
                  References

                  AWS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  amazon_guardduty Amazon GuardDuty technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents. Behavior:EC2/TrafficVolumeUnusual Accuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.
                  References
                  aws_iot_device_defender AWS IoT Device Defender technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices using an established command and control channel to/from those devices: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over command and control channels. Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.
                  References
                  aws_network_firewall AWS Network Firewall technique_scores T1041 Exfiltration Over C2 Channel
                  Comments
                  AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.
                  References