Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL exfiltrates data over the same channel used for C2.[1] |
S0584 | AppleJeus |
AppleJeus has exfiltrated collected host information to a C2 server.[2] |
S0622 | AppleSeed | |
G0022 | APT3 |
APT3 has a tool that exfiltrates data over the C2 channel.[4] |
G0050 | APT32 |
APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[5] |
G0087 | APT39 |
APT39 has exfiltrated stolen victim data through C2 communications.[6] |
S0373 | Astaroth |
Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [7] |
S0438 | Attor | |
S0031 | BACKSPACE |
Adversaries can direct BACKSPACE to upload files to the C2 Server.[9] |
S0234 | Bandook |
Bandook can upload files from a victim's machine over the C2 channel.[10] |
S0239 | Bankshot | |
S0268 | Bisonal |
Bisonal has added the exfiltrated data to the URL over the C2 channel.[12] |
S0520 | BLINDINGCAN |
BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[13][14] |
S0657 | BLUELIGHT | |
S0651 | BoxCaon |
BoxCaon uploads files and data from a compromised host over the existing C2 channel.[16] |
S0077 | CallMe |
CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.[17] |
S0351 | Cannon |
Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[18] |
S0484 | Carberp |
Carberp has exfiltrated data via HTTP to already established C2 servers.[19][20] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can upload files over the C2 channel.[21] |
S0674 | CharmPower |
CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[22] |
G0114 | Chimera |
Chimera has used Cobalt Strike C2 beacons for data exfiltration.[23] |
G0142 | Confucius |
Confucius has exfiltrated stolen files to its C2 server.[24] |
S0538 | Crutch |
Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).[25] |
S0687 | Cyclops Blink |
Cyclops Blink has the ability to upload exfiltrated files to a C2 server.[26] |
S0600 | Doki |
Doki has used Ngrok to establish C2 and exfiltrate data.[27] |
S0502 | Drovorub | |
S0062 | DustySky | |
S0024 | Dyre |
Dyre has the ability to send information staged on a compromised host externally to C2.[30] |
S0377 | Ebury |
Ebury can exfiltrate SSH credentials through custom DNS queries.[31] |
S0367 | Emotet |
Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. [32] |
S0363 | Empire |
Empire can send data gathered from a target through the command and control channel.[33] |
S0568 | EVILNUM |
EVILNUM can upload files over the C2 channel from the infected host.[34] |
S0696 | Flagpro | |
S0661 | FoggyWeb |
FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.[36] |
G0101 | Frankenstein |
Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[37] |
G0093 | GALLIUM |
GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[38] |
G0047 | Gamaredon Group |
A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.[39] |
S0493 | GoldenSpy |
GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[40] |
S0588 | GoldMax |
GoldMax can exfiltrate files over the existing C2 channel.[41][42] |
S0477 | Goopy |
Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.[43] |
S0531 | Grandoreiro |
Grandoreiro can send data it retrieves to the C2 server.[44] |
S0632 | GrimAgent |
GrimAgent has sent data related to a compromise host over its C2 channel.[45] |
S0391 | HAWKBALL |
HAWKBALL has sent system information and files over the C2 channel.[46] |
G0126 | Higaisa | |
S0376 | HOPLIGHT | |
S0431 | HotCroissant |
HotCroissant has the ability to download files from the infected host to the command and control (C2) server.[49] |
S0434 | Imminent Monitor |
Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.[50] |
S0604 | Industroyer |
Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.[51] |
G0004 | Ke3chang |
Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[52] |
S0487 | Kessel |
Kessel has exfiltrated information gathered from the infected system to the C2 server.[53] |
S0526 | KGH_SPY |
KGH_SPY can exfiltrate collected information from the host to the C2 server.[54] |
G0094 | Kimsuky | |
S0356 | KONNI | |
G0032 | Lazarus Group |
Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.[60][61][62][63] |
G0065 | Leviathan | |
S0395 | LightNeuron |
LightNeuron exfiltrates data over its email C2 channel.[65] |
S0680 | LitePower |
LitePower can send collected data, including screenshots, over its C2 channel.[66] |
S0447 | Lokibot |
Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[67] |
S0409 | Machete |
Machete's collected data is exfiltrated over the same channel used for C2.[68] |
S0652 | MarkiRAT | |
S0459 | MechaFlounder |
MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.[70] |
S0455 | Metamorfo |
Metamorfo can send the data it collects to the C2 server.[71] |
S0079 | MobileOrder |
MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications.[17] |
G0069 | MuddyWater |
MuddyWater has used C2 infrastructure to receive exfiltrated data.[72] |
S0034 | NETEAGLE |
NETEAGLE is capable of reading files over the C2 channel.[9] |
S0385 | njRAT |
njRAT has used HTTP to receive stolen information from the infected machine.[73] |
S0340 | Octopus |
Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.[74] |
S0439 | Okrum |
Data exfiltration is done by Okrum using the already opened channel with the C2 server.[75] |
S0264 | OopsIE |
OopsIE can upload files from the victim's machine to its C2 server.[76] |
G0116 | Operation Wocao |
Operation Wocao has used the Xserver backdoor to exfiltrate data.[77] |
S0587 | Penquin |
Penquin can execute the command code |
S0428 | PoetRAT | |
S0441 | PowerShower |
PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[80] |
S0238 | Proxysvc |
Proxysvc performs data exfiltration over the control server channel using a custom protocol.[81] |
S0078 | Psylo |
Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.[17] |
S0147 | Pteranodon |
Pteranodon exfiltrates screenshot files to its C2 server.[39] |
S0192 | Pupy |
Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.[82] |
S0650 | QakBot |
QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[83] |
S0495 | RDAT |
RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.[84] |
S0375 | Remexi |
Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[85] |
S0496 | REvil |
REvil can exfiltrate host and malware information to C2 servers.[86] |
S0448 | Rising Sun |
Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[87] |
S0240 | ROKRAT |
ROKRAT can send collected files back over same C2 channel.[88] |
G0034 | Sandworm Team |
Sandworm Team has sent system information to its C2 server using HTTP.[89] |
S0445 | ShimRatReporter |
ShimRatReporter sent generated reports to the C2 via HTTP POST requests.[90] |
S0610 | SideTwist | |
S0692 | SILENTTRINITY |
SILENTTRINITY can transfer files from an infected host to the C2 server.[92] |
S0633 | Sliver |
Sliver can exfiltrate files from the victim using the |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.[94] |
S0649 | SMOKEDHAM | |
S0543 | Spark | |
G0038 | Stealth Falcon |
After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.[97] |
S0491 | StrongPity |
StrongPity can exfiltrate collected documents through C2 channels.[98][99] |
S0603 | Stuxnet | |
S0467 | TajMahal |
TajMahal has the ability to send collected files over its C2.[101] |
S0595 | ThiefQuest |
ThiefQuest exfiltrates targeted file extensions in the |
S0671 | Tomiris |
Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[104] |
S0678 | Torisma |
Torisma can send victim data to an actor-controlled C2 server.[63] |
S0266 | TrickBot |
TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[105][106] |
S0386 | Ursnif |
Ursnif has used HTTP POSTs to exfil gathered information.[107][108][109] |
S0476 | Valak |
Valak has the ability to exfiltrate data over the C2 channel.[110][111][112] |
S0670 | WarzoneRAT |
WarzoneRAT can send collected victim data to its C2 server.[113] |
G0102 | Wizard Spider |
Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[114] |
S0658 | XCSSET |
XCSSET exfiltrates data stolen from a system over its C2 channel.[115] |
S0251 | Zebrocy |
Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.[116][117] |
G0128 | ZIRCONIUM |
ZIRCONIUM has exfiltrated files via the Dropbox API C2.[118] |
ID | Mitigation | Description |
---|---|---|
M1057 | Data Loss Prevention |
Data loss prevention can detect and block sensitive data being sent over unencrypted protocols. |
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. [119] |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0029 | Network Traffic | Network Connection Creation |
Network Traffic Content | ||
Network Traffic Flow |
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [119]