T1041: Exfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Positive Technologies products that cover the technique
Detection
PT NAD can detect malware, hacking and post-exploitation tools, which can be used by adversaries to exfiltrate data to C2 servers via various protocols. This is done using PTsecurity pack rules, reputation lists, and modules of the activity stream.
Examples of PT NAD detection rules
- STEALER [PTsecurity] RedLine (sid 10005786)
- TOOLS [PTsecurity] ngrok agent TLS request (sid 10009340)
- TOOLS [PTsecurity] SSF Tunneling tool over SSL (sid 10005861)
Examples of PT NAD detection modules
- DNS tunneling
- Cobalt Strike usage
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel. |
---|
Mitigation
ID | M1057 | Name | Data Loss Prevention | Description | Data loss prevention can detect and block sensitive data being sent over unencrypted protocols. |
---|
ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. |
---|