Esc
Exfiltration Over C2 Channel - T1041
(ATT&CK® Technique)
Definition
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1041["Exfiltration Over C2 Channel"] --> |produces| InternetNetworkTraffic["Internet Network Traffic"]; class T1041 OffensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";
click T1041 href "/offensive-technique/attack/T1041/"; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic"; T1041["Exfiltration Over C2 Channel"] --> |may-transfer| CertificateFile["Certificate File"]; class T1041 OffensiveTechniqueNode;
class CertificateFile ArtifactNode; click CertificateFile href "/dao/artifact/d3f:CertificateFile";
click T1041 href "/offensive-technique/attack/T1041/"; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; CertificateAnalysis["Certificate Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
CertificateAnalysis["Certificate Analysis"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class CertificateAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click CertificateAnalysis href "/technique/d3f:CertificateAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | CertificateFile["Certificate File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1041["Exfiltration Over C2 Channel"] ;
class DecoyFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CertificateFile["Certificate File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1041["Exfiltration Over C2 Channel"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CertificateFile["Certificate File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; RestoreFile["Restore File"] -->
| restores | CertificateFile["Certificate File"];
RestoreFile["Restore File"] -.->
| may-restore | T1041["Exfiltration Over C2 Channel"] ;
class RestoreFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileEviction["File Eviction"] -->
| deletes | CertificateFile["Certificate File"];
FileEviction["File Eviction"] -.->
| may-evict | T1041["Exfiltration Over C2 Channel"] ;
class FileEviction DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | CertificateFile["Certificate File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1041["Exfiltration Over C2 Channel"] ;
class FileEncryption DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InternetNetworkTraffic["Internet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1041["Exfiltration Over C2 Channel"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1041["Exfiltration Over C2 Channel"] ;
class FileAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CertificateFile["Certificate File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1041["Exfiltration Over C2 Channel"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";