Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1041 | Exfiltration Over C2 Channel | |
| CA-7 | Continuous Monitoring | Protects | T1041 | Exfiltration Over C2 Channel | |
| SC-7 | Boundary Protection | Protects | T1041 | Exfiltration Over C2 Channel | |
| SI-3 | Malicious Code Protection | Protects | T1041 | Exfiltration Over C2 Channel | |
| SI-4 | System Monitoring | Protects | T1041 | Exfiltration Over C2 Channel | |
| azure_sentinel | Azure Sentinel | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.
References
|
| azure_dns_analytics | Azure DNS Analytics | technique_scores | T1041 | Exfiltration Over C2 Channel |
Comments
This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
References
|