EXPLORE
Sign In
← Back to Explore
T1041

Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

ESXiLinuxmacOSWindows
30
Detections
3
Sources
25
Threat Actors

BY SOURCE

18elastic10splunk_escu2sigma

PROCEDURES (21)

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Inject2 detections

Auto-extracted: 2 detections for inject

C22 detections

Auto-extracted: 2 detections for c2

Service2 detections

Auto-extracted: 2 detections for service

Event Log2 detections

Auto-extracted: 2 detections for event log

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Api1 detections

Auto-extracted: 1 detections for api

Api1 detections

Auto-extracted: 1 detections for api

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Script Block1 detections

Auto-extracted: 1 detections for script block

Event Log1 detections

Auto-extracted: 1 detections for event log

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Phish1 detections

Auto-extracted: 1 detections for phish

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (25)

AgriusAPT3APT32APT39BlackByteChimeraConfuciusContagious InterviewCURIUMGALLIUMGamaredon GroupHigaisaKe3changKimsukyLazarus GroupLeviathanLuminousMothMuddyWaterMustang PandaSandworm TeamScattered SpiderStealth FalconWinter VivernWizard SpiderZIRCONIUM

DETECTIONS (30)

Cisco ASA - Device File Copy to Remote Location
splunk_escu
Cisco Secure Firewall - High EVE Threat Confidence
splunk_escu
Cisco Secure Firewall - Intrusion Events by Threat Activity
splunk_escu
Cisco Secure Firewall - Lumma Stealer Download Attempt
splunk_escu
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
splunk_escu
Cisco Secure Firewall - Potential Data Exfiltration
splunk_escu
Detect SNICat SNI Exfiltration
splunk_escu
DNS Tunneling
elasticlow
Network Activity Detected via Kworker
elasticlow
Network Communication Initiated To Portmap.IO Domain
sigmamedium
Network Traffic to Rare Destination Country
elasticlow
OpenCanary - TFTP Request
sigmahigh
Potential Data Exfiltration Activity to an Unusual Destination Port
elasticlow
Potential Data Exfiltration Activity to an Unusual IP Address
elasticlow
Potential Data Exfiltration Activity to an Unusual ISO Code
elasticlow
Potential Data Exfiltration Activity to an Unusual Region
elasticlow
Potential Telegram API Request Via CommandLine
splunk_escu
Spike in Firewall Denies
elasticlow
Spike in host-based traffic
elasticlow
Spike in Network Traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Unusual AWS Command for a User
elasticlow
Unusual Azure Activity Logs Event for a User
elasticlow
Unusual GCP Event for a User
elasticlow
Unusual Linux Network Activity
elasticlow
Unusual Linux Network Port Activity
elasticlow
Unusual Network Destination Domain Name
elasticlow
Unusual Windows Network Activity
elasticlow
Windows Exfiltration Over C2 Via Invoke RestMethod
splunk_escu
Windows Exfiltration Over C2 Via Powershell UploadString
splunk_escu