Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL exfiltrates data over the same channel used for C2.[1] |
S1025 | Amadey | |
S0584 | AppleJeus |
AppleJeus has exfiltrated collected host information to a C2 server.[3] |
S0622 | AppleSeed | |
G0022 | APT3 |
APT3 has a tool that exfiltrates data over the C2 channel.[5] |
G0050 | APT32 |
APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[6] |
G0087 | APT39 |
APT39 has exfiltrated stolen victim data through C2 communications.[7] |
S0373 | Astaroth |
Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [8] |
S0438 | Attor | |
S1029 | AuTo Stealer |
AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.[10] |
S0031 | BACKSPACE |
Adversaries can direct BACKSPACE to upload files to the C2 Server.[11] |
S1081 | BADHATCH | |
S0234 | Bandook |
Bandook can upload files from a victim's machine over the C2 channel.[14] |
S0239 | Bankshot | |
S0268 | Bisonal |
Bisonal has added the exfiltrated data to the URL over the C2 channel.[16] |
S0520 | BLINDINGCAN |
BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[17][18] |
S0657 | BLUELIGHT | |
S0651 | BoxCaon |
BoxCaon uploads files and data from a compromised host over the existing C2 channel.[20] |
S1039 | Bumblebee | |
C0017 | C0017 |
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[22] |
S0077 | CallMe |
CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.[23] |
S0351 | Cannon |
Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[24] |
S0484 | Carberp |
Carberp has exfiltrated data via HTTP to already established C2 servers.[25][26] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can upload files over the C2 channel.[27] |
S0674 | CharmPower |
CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[28] |
G0114 | Chimera |
Chimera has used Cobalt Strike C2 beacons for data exfiltration.[29] |
S0667 | Chrommme | |
G0142 | Confucius |
Confucius has exfiltrated stolen files to its C2 server.[31] |
S1024 | CreepySnail |
CreepySnail can connect to C2 for data exfiltration.[32] |
S0115 | Crimson | |
S0538 | Crutch |
Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).[34] |
S0687 | Cyclops Blink |
Cyclops Blink has the ability to upload exfiltrated files to a C2 server.[35] |
S1111 | DarkGate |
DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.[36] |
S1021 | DnsSystem |
DnsSystem can exfiltrate collected data to its C2 server.[37] |
S0600 | Doki |
Doki has used Ngrok to establish C2 and exfiltrate data.[38] |
S0502 | Drovorub | |
S0062 | DustySky | |
S0024 | Dyre |
Dyre has the ability to send information staged on a compromised host externally to C2.[41] |
S0377 | Ebury |
Ebury can exfiltrate SSH credentials through custom DNS queries.[42] |
S0367 | Emotet | |
S0363 | Empire |
Empire can send data gathered from a target through the command and control channel.[45][46] |
S0568 | EVILNUM |
EVILNUM can upload files over the C2 channel from the infected host.[47] |
S0696 | Flagpro | |
S0381 | FlawedAmmyy |
FlawedAmmyy has sent data collected from a compromised host to its C2 servers.[49] |
S0661 | FoggyWeb |
FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.[50] |
C0001 | Frankenstein |
During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.[46] |
S1044 | FunnyDream |
FunnyDream can execute commands, including gathering user information, and send the results to C2.[51] |
G0093 | GALLIUM |
GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[52] |
G0047 | Gamaredon Group |
A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.[53] |
S0493 | GoldenSpy |
GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[54] |
S0588 | GoldMax |
GoldMax can exfiltrate files over the existing C2 channel.[55][56] |
S0477 | Goopy |
Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.[57] |
S0531 | Grandoreiro |
Grandoreiro can send data it retrieves to the C2 server.[58] |
S0632 | GrimAgent |
GrimAgent has sent data related to a compromise host over its C2 channel.[59] |
S0391 | HAWKBALL |
HAWKBALL has sent system information and files over the C2 channel.[60] |
G0126 | Higaisa | |
S0376 | HOPLIGHT | |
S0431 | HotCroissant |
HotCroissant has the ability to download files from the infected host to the command and control (C2) server.[63] |
S1022 | IceApple |
IceApple's Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.[64] |
S0434 | Imminent Monitor |
Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.[65] |
S0604 | Industroyer |
Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.[66] |
G0004 | Ke3chang |
Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[67] |
S0487 | Kessel |
Kessel has exfiltrated information gathered from the infected system to the C2 server.[68] |
S1020 | Kevin |
Kevin can send data from the victim host through a DNS C2 channel.[69] |
S0526 | KGH_SPY |
KGH_SPY can exfiltrate collected information from the host to the C2 server.[70] |
G0094 | Kimsuky | |
S0356 | KONNI | |
S1075 | KOPILUWAK |
KOPILUWAK has exfiltrated collected data to its C2 via POST requests.[76] |
G0032 | Lazarus Group |
Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.[77][78][79] |
G0065 | Leviathan | |
S0395 | LightNeuron |
LightNeuron exfiltrates data over its email C2 channel.[81] |
S0680 | LitePower |
LitePower can send collected data, including screenshots, over its C2 channel.[82] |
S0447 | Lokibot |
Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[83] |
G1014 | LuminousMoth |
LuminousMoth has used malware that exfiltrates stolen data to its C2 server.[84] |
S0409 | Machete |
Machete's collected data is exfiltrated over the same channel used for C2.[85] |
S1016 | MacMa |
MacMa exfiltrates data from a supplied path over its C2 channel.[86] |
S1060 | Mafalda |
Mafalda can send network system data and files to its C2 server.[87] |
S0652 | MarkiRAT | |
S0459 | MechaFlounder |
MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.[89] |
S1059 | metaMain |
metaMain can upload collected files and data to its C2 server.[90] |
S0455 | Metamorfo |
Metamorfo can send the data it collects to the C2 server.[91] |
S0084 | Mis-Type |
Mis-Type has transmitted collected files and data to its C2 server.[92] |
S0083 | Misdat | |
S1122 | Mispadu |
Mispadu can sends the collected financial data to the C2 server.[93][94] |
S0079 | MobileOrder |
MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications.[23] |
S1026 | Mongall |
Mongall can upload files and information from a compromised host to its C2 server.[95] |
G0069 | MuddyWater |
MuddyWater has used C2 infrastructure to receive exfiltrated data.[96] |
S0034 | NETEAGLE |
NETEAGLE is capable of reading files over the C2 channel.[11] |
S1090 | NightClub |
NightClub can use SMTP and DNS for file exfiltration and C2.[97] |
S0385 | njRAT |
njRAT has used HTTP to receive stolen information from the infected machine.[98] |
S0340 | Octopus |
Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.[99] |
S0439 | Okrum |
Data exfiltration is done by Okrum using the already opened channel with the C2 server.[100] |
S0264 | OopsIE |
OopsIE can upload files from the victim's machine to its C2 server.[101] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.[102] |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers.[103] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used the XServer backdoor to exfiltrate data.[104] |
S1017 | OutSteel |
OutSteel can upload files from a compromised host over its C2 channel.[105] |
S1050 | PcShare |
PcShare can upload files and information from a compromised host to its C2 servers.[51] |
S0587 | Penquin |
Penquin can execute the command code |
S1031 | PingPull |
PingPull has the ability to exfiltrate stolen victim data through its C2 channel.[107] |
S0428 | PoetRAT | |
S0441 | PowerShower |
PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[109] |
S0238 | Proxysvc |
Proxysvc performs data exfiltration over the control server channel using a custom protocol.[110] |
S0078 | Psylo |
Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.[23] |
S0147 | Pteranodon |
Pteranodon exfiltrates screenshot files to its C2 server.[53] |
S0192 | Pupy |
Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.[111] |
S0650 | QakBot |
QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[112] |
S0495 | RDAT |
RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.[113] |
S0375 | Remexi |
Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[114] |
S0496 | REvil |
REvil can exfiltrate host and malware information to C2 servers.[115] |
S0448 | Rising Sun |
Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[116] |
S0240 | ROKRAT |
ROKRAT can send collected files back over same C2 channel.[117] |
S1078 | RotaJakiro |
RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. [118] |
S0085 | S-Type |
S-Type has uploaded data and files from a compromised host to its C2 servers.[92] |
G0034 | Sandworm Team |
Sandworm Team has sent system information to its C2 server using HTTP.[119] |
S0461 | SDBbot |
SDBbot has sent collected data from a compromised host to its C2 servers.[49] |
S1019 | Shark |
Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.[120] |
S1089 | SharpDisco |
SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2.[97] |
S0445 | ShimRatReporter |
ShimRatReporter sent generated reports to the C2 via HTTP POST requests.[121] |
S0610 | SideTwist | |
S0692 | SILENTTRINITY |
SILENTTRINITY can transfer files from an infected host to the C2 server.[123] |
S0633 | Sliver |
Sliver can exfiltrate files from the victim using the |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.[125] |
S0649 | SMOKEDHAM | |
S0615 | SombRAT |
SombRAT has uploaded collected data and files from a compromised host to its C2 server.[127] |
S0543 | Spark | |
S1030 | Squirrelwaffle |
Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.[129] |
S1037 | STARWHALE |
STARWHALE can exfiltrate collected data to its C2 servers.[130] |
G0038 | Stealth Falcon |
After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.[131] |
S1034 | StrifeWater |
StrifeWater can send data and files from a compromised host to its C2 server.[132] |
S0491 | StrongPity |
StrongPity can exfiltrate collected documents through C2 channels.[133][134] |
S0603 | Stuxnet | |
S1042 | SUGARDUMP |
SUGARDUMP has sent stolen credentials and other data to its C2 server.[136] |
S1064 | SVCReady |
SVCReady can send collected data in JSON format to its C2 server.[137] |
S0663 | SysUpdate | |
S0467 | TajMahal |
TajMahal has the ability to send collected files over its C2.[139] |
S0595 | ThiefQuest |
ThiefQuest exfiltrates targeted file extensions in the |
S0671 | Tomiris |
Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[142] |
S0678 | Torisma |
Torisma can send victim data to an actor-controlled C2 server.[143] |
S0266 | TrickBot |
TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[144][145] |
S0386 | Ursnif |
Ursnif has used HTTP POSTs to exfil gathered information.[146][147][148] |
S0476 | Valak |
Valak has the ability to exfiltrate data over the C2 channel.[149][150][151] |
S0670 | WarzoneRAT |
WarzoneRAT can send collected victim data to its C2 server.[152] |
G0102 | Wizard Spider |
Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[153][154] |
S1065 | Woody RAT |
Woody RAT can exfiltrate files from an infected machine to its C2 server.[155] |
S0658 | XCSSET |
XCSSET exfiltrates data stolen from a system over its C2 channel.[156] |
S0251 | Zebrocy |
Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.[157][158] |
G0128 | ZIRCONIUM |
ZIRCONIUM has exfiltrated files via the Dropbox API C2.[159] |
S0086 | ZLib |
ZLib has sent data and files from a compromised host to its C2 servers.[92] |
ID | Mitigation | Description |
---|---|---|
M1057 | Data Loss Prevention |
Data loss prevention can detect and block sensitive data being sent over unencrypted protocols. |
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. [160] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel. |
DS0022 | File | File Access |
Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel. |
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. |
Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |