Exfiltration Over C2 Channel, Technique T1041 - Enterprise (original) (raw)
ADVSTORESHELL exfiltrates data over the same channel used for C2.[1]
Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers.[2]
Amadey has sent victim data to its C2 servers.[3]
AppleJeus has exfiltrated collected host information to a C2 server.[4]
AppleSeed can exfiltrate files via the C2 channel.[5]
APT3 has a tool that exfiltrates data over the C2 channel.[6]
APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[7]
APT39 has exfiltrated stolen victim data through C2 communications.[8]
ArcaneDoor included use of existing command and control channels for data exfiltration.[9][10]
AshTag has exfiltrated reconnaissance data on targeted systems to C2 servers.[11]
Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [12]
Attor has exfiltrated data over the C2 channel.[13]
AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.[14]
Adversaries can direct BACKSPACE to upload files to the C2 Server.[15]
BADHATCH can exfiltrate data over the C2 channel.[16][17]
Bandook can upload files from a victim's machine over the C2 channel.[18]
Bankshot exfiltrates data over its C2 channel.[19]
BeaverTail has exfiltrated data collected from victim devices to C2 servers.[20][21][22]
Bisonal has added the exfiltrated data to the URL over the C2 channel.[23]
BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure.[24]
BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[25][26]
BLUELIGHT has exfiltrated data over its C2 channel.[27]
BoxCaon uploads files and data from a compromised host over the existing C2 channel.[28]
BRICKSTORM has uploaded files from the victim system to C2 servers.[29][30][31][32][33][34][35]
Bumblebee can send collected data in JSON format to C2.[36]
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[37]
CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.[38]
Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[39]
Carberp has exfiltrated data via HTTP to already established C2 servers.[40][41]
Caterpillar WebShell can upload files over the C2 channel.[42]
CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[43]
Chimera has used Cobalt Strike C2 beacons for data exfiltration.[44]
CHIMNEYSWEEP can upload collected files to the command-and-control server.[45]
Chrommme can exfiltrate collected data via C2.[46]
Confucius has exfiltrated stolen files to its C2 server.[47]
Contagious Interview has exfiltrated data from a compromised host to actor-controlled C2 servers.[48][49][50][51][20][52][53][54][21][22]
CreepySnail can connect to C2 for data exfiltration.[55]
Crimson can exfiltrate stolen information over its C2.[56]
Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).[57]
Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username.[58]
CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader.[59]
Cyclops Blink has the ability to upload exfiltrated files to a C2 server.[60]
DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.[61]
DnsSystem can exfiltrate collected data to its C2 server.[62]
Doki has used Ngrok to establish C2 and exfiltrate data.[63]
Drovorub can exfiltrate files over C2 infrastructure.[64]
DUSTTRAP can exfiltrate collected data over C2 channels.[65]
DustySky has exfiltrated data to the C2 server.[66]
Dyre has the ability to send information staged on a compromised host externally to C2.[67]
Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's known_host files and wtmp records. Ebury can exfiltrate SSH credentials through custom DNS queries or use the command Xcat to send the process's ssh session's credentials to the C2 server.[68][69]
Emotet has exfiltrated data over its C2 channel.[70][71]
Empire can send data gathered from a target through the command and control channel.[72][73]
EVILNUM can upload files over the C2 channel from the infected host.[74]
Flagpro has exfiltrated data to the C2 server.[75]
FlawedAmmyy has sent data collected from a compromised host to its C2 servers.[76]
FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.[77]
During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.[73]
FunnyDream can execute commands, including gathering user information, and send the results to C2.[78]
GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[79]
A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.[80][81][82]
GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[83]
GoldMax can exfiltrate files over the existing C2 channel.[84][85]
Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.[86]
Grandoreiro can send data it retrieves to the C2 server.[87]
GrimAgent has sent data related to a compromise host over its C2 channel.[88]
HAWKBALL has sent system information and files over the C2 channel.[89]
HexEval Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.[51][52]
Higaisa exfiltrated data over its C2 channel.[90]
During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[91]
HOPLIGHT has used its C2 channel to exfiltrate data.[92]
HotCroissant has the ability to download files from the infected host to the command and control (C2) server.[93]
HTTPTroy has exfiltrated encrypted data over the C2 channel using the up <FILENAME> command.[94]
IceApple's Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.[95]
Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.[96]
Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.[97]
InvisibleFerret has used HTTP communications to the "/Uploads" URI for file exfiltration.[98]
IPsec Helper exfiltrates specific files through its command and control framework.[99]
Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[100]
Kessel has exfiltrated information gathered from the infected system to the C2 server.[101]
Kevin can send data from the victim host through a DNS C2 channel.[102]
KGH_SPY can exfiltrate collected information from the host to the C2 server.[103]
Kimsuky has exfiltrated data over its C2 channel.[104][105]
KONNI has sent data and files to its C2 server.[106][107][108]
KOPILUWAK has exfiltrated collected data to its C2 via POST requests.[109]
LAMEHUG can exfiltrate collected system information and documents to C2.[110][111]
Latrodectus can exfiltrate encrypted system information to the C2 server.[112][113]
Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.[114][115][116]
Leviathan has exfiltrated data over its C2 channel.[117]
Leviathan Australian Intrusions
Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions.[118]
LightNeuron exfiltrates data over its email C2 channel.[119]
To exfiltrate data, LightSpy configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name.[120]
Line Dancer exfiltrates collected data via command and control channels.[9]
Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.[9]
LitePower can send collected data, including screenshots, over its C2 channel.[121]
LODEINFO can exfiltrate collected credentials and browser cookies to the C2 server.[122]
Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[123]
LuminousMoth has used malware that exfiltrates stolen data to its C2 server.[124]
Lumma Stealer has exfiltrated collected data over existing HTTP and HTTPS C2 channels.[125][126]
LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration.[127]
Machete's collected data is exfiltrated over the same channel used for C2.[128]
MacMa exfiltrates data from a supplied path over its C2 channel.[129]
Mafalda can send network system data and files to its C2 server.[130]
MagicRAT exfiltrates data via HTTP over existing command and control channels.[131]
Mango can use its HTTP C2 channel for exfiltration.[132]
Manjusaka data exfiltration takes place over HTTP channels.[133]
MarkiRAT can exfiltrate locally stored data via its C2.[134]
MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.[135]
metaMain can upload collected files and data to its C2 server.[136]
Metamorfo can send the data it collects to the C2 server.[137]
Mis-Type has transmitted collected files and data to its C2 server.[138]
Misdat has uploaded files and data to its C2 servers.[138]
Mispadu can sends the collected financial data to the C2 server.[139][140]
MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications.[38]
Mongall can upload files and information from a compromised host to its C2 server.[141]
MuddyViper has uploaded files to the C2 server. Additionally, MuddyViper has the ability to upload the specified file in chunks with sleep time between each chunk.[142]
MuddyWater has used C2 infrastructure to receive exfiltrated data.[143]
Mustang Panda has exfiltrated stolen data and files to its C2 server.[144][145][146]
NETEAGLE is capable of reading files over the C2 channel.[15]
NightClub can use SMTP and DNS for file exfiltration and C2.[147]
njRAT has used C2 infrastructure to receive stolen information from the infected machine including screenshots and other system information.[148][149]
Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.[150]
ODAgent can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files.[151]
OilBooster can use an actor-controlled OneDrive account for C2 communication and exfiltration.[151]
Data exfiltration is done by Okrum using the already opened channel with the C2 server.[152]
OopsIE can upload files from the victim's machine to its C2 server.[153]
During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.[154]
During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers.[155]
During Operation Wocao, threat actors used the XServer backdoor to exfiltrate data.[156]
OutSteel can upload files from a compromised host over its C2 channel.[157]
PcShare can upload files and information from a compromised host to its C2 servers.[78]
Penquin can execute the command code do_upload to send files to C2.[158]
PHASEJAM has the ability to exfiltrate data from the victim appliance.[159]
During the initial Pikabot command and control check-in, Pikabot will transmit collected system information encrypted using RC4.[160]
PingPull has the ability to exfiltrate stolen victim data through its C2 channel.[161]
PlugX has exfiltrated stolen data and files to its C2 server.[162][146]
PoetRAT has exfiltrated data over the C2 channel.[163]
PowerExchange can exfiltrate files via its email C2 channel.[164]
PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[165]
Proxysvc performs data exfiltration over the control server channel using a custom protocol.[166]
Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.[38]
Pteranodon exfiltrates screenshot files to its C2 server.[80]
Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.[167]
QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[168]
Raccoon Stealer uses existing HTTP-based command and control channels for exfiltration.[169][170][171]
RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.[172]
RedLine Stealer has sent victim data to its C2 server or RedLine panel server.[173]
During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. [174]
Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[175]
REvil can exfiltrate host and malware information to C2 servers.[176]
Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[177]
ROKRAT can send collected files back over same C2 channel.[178]
RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. [179]
S-Type has uploaded data and files from a compromised host to its C2 servers.[138]
Sagerunex encrypts collected system data then exfiltrates via existing command and control channels.[180]
Sandworm Team has sent system information to its C2 server using HTTP.[181]
Scattered Spider has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool.[182]
SDBbot has sent collected data from a compromised host to its C2 servers.[76]
Shai-Hulud has used POST to exfiltrate secrets from the victim environment to an attacker-controlled URL.[183][184][185]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.[186]
Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.[187]
SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2.[147]
ShimRatReporter sent generated reports to the C2 via HTTP POST requests.[188]
ShrinkLocker will exfiltrate victim system information along with the encryption key via an HTTP POST.[189][190]
SideTwist has exfiltrated data over its C2 channel.[191]
SILENTTRINITY can transfer files from an infected host to the C2 server.[192]
Sliver can exfiltrate files from the victim using the download command.[193]
SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.[194]
SMOKEDHAM has exfiltrated data to its C2 server.[195]
Solar can send staged files to C2 for exfiltration.[132]
SombRAT has uploaded collected data and files from a compromised host to its C2 server.[196]
Spark has exfiltrated data over the C2 channel.[197]
Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.[198]
STARWHALE can exfiltrate collected data to its C2 servers.[199]
After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.[200]
StrelaStealer exfiltrates collected email credentials via HTTP POST to command and control servers.[201][202][203][204]
StrifeWater can send data and files from a compromised host to its C2 server.[205]
StrongPity can exfiltrate collected documents through C2 channels.[206][207]
Stuxnet sends compromised victim information via HTTP.[208]
SUGARDUMP has sent stolen credentials and other data to its C2 server.[209]
SVCReady can send collected data in JSON format to its C2 server.[210]
SysUpdate has exfiltrated data over its C2 channel.[211]
TajMahal has the ability to send collected files over its C2.[212]
ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.[213][214]
Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[215]
Torisma can send victim data to an actor-controlled C2 server.[216]
TRANSLATEXT has exfiltrated collected credentials to the C2 server.[217]
TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[218][219]
Troll Stealer exfiltrates collected information to its command and control infrastructure.[220]
Ursnif has used HTTP POSTs to exfil gathered information.[221][222][223]
Valak has the ability to exfiltrate data over the C2 channel.[224][225][226]
VOID MANTICORE malware has exfiltrated collected data via Telegram bot C2 channels using encrypted communications.[227]
WarzoneRAT can send collected victim data to its C2 server.[228]
Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[229]
WIRTE has exfiltrated collected victim data to C2 infrastructure.[11]
Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[230][231]
Woody RAT can exfiltrate files from an infected machine to its C2 server.[232]
XCSSET retrieves files that match the pattern defined in the INAME_QUERY variable within the user's home directory, such as *test.txt, and are below a specific size limit. It then archives the files and exfiltrates the data over its C2 channel.[233][234]
XORIndex Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.[20]
Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.[235][236]
ZIRCONIUM has exfiltrated files via the Dropbox API C2.[237]
ZLib has sent data and files from a compromised host to its C2 servers.[138]