EXPLORE
Sign In
← Back to Explore
T1041

Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

ESXiLinuxmacOSWindows
31
Detections
3
Sources
27
Threat Actors

BY SOURCE

18elastic10splunk_escu3sigma

PROCEDURES (22)

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Service2 detections

Auto-extracted: 2 detections for service

Inject2 detections

Auto-extracted: 2 detections for inject

Credential2 detections

Auto-extracted: 2 detections for credential

Inject2 detections

Auto-extracted: 2 detections for inject

C22 detections

Auto-extracted: 2 detections for c2

Script Block1 detections

Auto-extracted: 1 detections for script block

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Unusual1 detections

Auto-extracted: 1 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Api1 detections

Auto-extracted: 1 detections for api

Download1 detections

Auto-extracted: 1 detections for download

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

THREAT ACTORS (27)

AgriusAPT3APT32APT39BlackByteChimeraConfuciusContagious InterviewCURIUMGALLIUMGamaredon GroupHigaisaKe3changKimsukyLazarus GroupLeviathanLuminousMothMuddyWaterMustang PandaSandworm TeamScattered SpiderStealth FalconVOID MANTICOREWinter VivernWIRTEWizard SpiderZIRCONIUM

DETECTIONS (31)

Cisco ASA - Device File Copy to Remote Location
splunk_escu
Cisco Secure Firewall - High EVE Threat Confidence
splunk_escu
Cisco Secure Firewall - Intrusion Events by Threat Activity
splunk_escu
Cisco Secure Firewall - Lumma Stealer Download Attempt
splunk_escu
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
splunk_escu
Cisco Secure Firewall - Potential Data Exfiltration
splunk_escu
Detect SNICat SNI Exfiltration
splunk_escu
DNS Tunneling
elasticlow
Network Activity Detected via Kworker
elasticlow
Network Communication Initiated To Portmap.IO Domain
sigmamedium
Network Traffic to Rare Destination Country
elasticlow
OpenCanary - TFTP Request
sigmahigh
Potential Data Exfiltration Activity to an Unusual Destination Port
elasticlow
Potential Data Exfiltration Activity to an Unusual IP Address
elasticlow
Potential Data Exfiltration Activity to an Unusual ISO Code
elasticlow
Potential Data Exfiltration Activity to an Unusual Region
elasticlow
Potential Telegram API Request Via CommandLine
splunk_escu
Spike in Firewall Denies
elasticlow
Spike in host-based traffic
elasticlow
Spike in Network Traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Tunneling Tool Execution
sigmamedium
Unusual AWS Command for a User
elasticlow
Unusual Azure Activity Logs Event for a User
elasticlow
Unusual GCP Event for a User
elasticlow
Unusual Linux Network Activity
elasticlow
Unusual Linux Network Port Activity
elasticlow
Unusual Network Destination Domain Name
elasticlow
Unusual Windows Network Activity
elasticlow
Windows Exfiltration Over C2 Via Invoke RestMethod
splunk_escu
Windows Exfiltration Over C2 Via Powershell UploadString
splunk_escu