T1041 Exfiltration Over C2 Channel

This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.

This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.

This diagnostic statement provides protection from Exfiltration Over C2 Channel by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.

This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.

The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.

This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.

This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.

This diagnostic statement protects against Exfiltration Over C2 Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.

The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network by scanning for other devices, erase logs to avoid detection, and exfiltrate data over C2.

CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.

CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.

CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.

Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server. That data can then be exfiltrated.

The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.

This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.

Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.

Google Security Ops is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral

The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents. Behavior:EC2/TrafficVolumeUnusual Accuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.

The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices using an established command and control channel to/from those devices: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over command and control channels. Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.

AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.