Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DE.AE-02.01 | Event analysis and detection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement provides protection from Exfiltration Over C2 Channel by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
PR.DS-01.01 | Data-at-rest protection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
PR.DS-01.02 | Data loss prevention | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
PR.IR-04.01 | Utilization monitoring | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement protects against Exfiltration Over C2 Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2018-4878 | Adobe Flash Player Use-After-Free Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file.
The observed goals of this exploit from Group 123 are remote access and data exfiltration.
References
|
CVE-2025-33053 | Microsoft Windows External Control of File Name or Path Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.
References
|
CVE-2024-4577 | PHP-CGI OS Command Injection Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.
References
|
CVE-2023-1389 | TP-Link Archer AX-21 Command Injection Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
References
|
CVE-2025-32756 | Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network by scanning for other devices, erase logs to avoid detection, and exfiltrate data over C2.
References
|
CVE-2023-38831 | RARLAB WinRAR Code Execution Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
References
|
CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | primary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
CVE-2023-2868 | Barracuda Networks ESG Appliance Improper Input Validation Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
|
CVE-2023-5631 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine.
In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session.
The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
References
|
CVE-2024-27443 | Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser
References
|
CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability | primary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
|
CVE-2024-55550 | Mitel MiCollab Path Traversal Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server. That data can then be exfiltrated.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1041 | Exfiltration Over C2 Channel | |
attribute.confidentiality.data_disclosure | None | related-to | T1041 | Exfiltration Over C2 Channel |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.
References
|
azure_dns_analytics | Azure DNS Analytics | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
cloud_ids | Cloud IDS | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications.
Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.
References
|
google_secops | Google Security Operations | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents.
Behavior:EC2/TrafficVolumeUnusual
Accuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices using an established command and control channel to/from those devices: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over command and control channels.
Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.
References
|
aws_network_firewall | AWS Network Firewall | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.
References
|