# T1041 Exfiltration Over C2 Channel

-----------------------------------------------------------------------

## Technique Description

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Exfiltration

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Command:** Command Execution

  * **Network Traffic:** Network Connection Creation

  * **File:** File Access

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has exfiltrated stolen files to its C2 server.(Citation: TrendMicro Confucius APT Aug 2021)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has exfiltrated files via the Dropbox API C2.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) exfiltrated data over its C2 channel.(Citation: Zscaler Higaisa 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used the Xserver backdoor to exfiltrate data.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used [Cobalt Strike](https://attack.mitre.org/software/S0154) C2 beacons for data exfiltration.(Citation: NCC Group Chimera January 2021) | 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has collected information via [Empire](https://attack.mitre.org/software/S0363), which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated data over its C2 channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used Web shells and [HTRAN](https://attack.mitre.org/software/S0040) for C2 and to exfiltrate data.(Citation: Cybereason Soft Cell June 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has exfiltrated stolen victim data through C2 communications.(Citation: FBI FLASH APT39 September 2020)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has exfiltrated data over its C2 channel.(Citation: CISA AA21-200A APT40 July 2021)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used C2 infrastructure to receive exfiltrated data.(Citation: Reaqta MuddyWater November 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has exfiltrated data using the already opened channel with its C&C server.(Citation: ESET OceanLotus Mar 2019)| 
| Gamaredon Group | A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can transfer collected files to a hardcoded C2 server.(Citation: Palo Alto Gamaredon Feb 2017)| 
| Stealth Falcon | After data is collected by [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware, it is exfiltrated over the existing C2 channel.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has sent system information to its C2 server using HTTP.(Citation: ESET Telebots Dec 2016)	| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has exfiltrated data and files over a C2 channel through its various tools and malware.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee Lazarus Nov 2020)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that exfiltrates data over the C2 channel.(Citation: FireEye Clandestine Fox)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.(Citation: Mandiant Operation Ke3chang November 2014)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1041)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 06 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras, SSgt Eric Plude

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use its established command and control channels to exfiltrate data outside the network to adversary controlled infrastructure. HTTP/S protocols will be used with possible POST commands sent by infected host. RC6 encrypted cookies have been observed over HTTP in previous malware communication to adversary infrastructure.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 |  | 1 |

#### APT28
- ADVSTORESHELL (APT28 backdoor) exfiltrates data over the same channel used for C2.
- Cannon (APT28 Trojan) exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.
- Drovorub (Linux malware toolset used by APT28) can exfiltrate files over C2 infrastructure.
- Zebrocy (Trojan used by APT28) has exfiltrated data to the designated C2 server using HTTP POST requests.

#### Turla
- Empire (post-exploitation framework used by Turla) can send data gathered from a target through the command and control channel.
- LightNeuron (backdoor used by Turla) exfiltrates data over its email C2 channel.

## Detection Blindspots

- Incorrect sensor placement may not allow for this TTP to be identified if required traffic is not captured.
- Encryption will make analysis of payload difficult and connection metadata should be utilized.

## Analytical References

  * [Drovorub](https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF)
  * [Snakemackrel](https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50)
  * [SUNSHUTTLE](https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html)
  * [SUNBURST](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)
  * [Wellmess Analysis C2 (pwc.co.uk)](https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html)
  * [APT28 targets COVID Vaccine Development (ncsc.gov.uk)](https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf)
  * [Analysis Reports AR20198B (cisa)](https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Processes utilizing the network that do not normally have network communication or are unique to a single or few devices.
- Exfiltration over C2 may start with a process doing a DNS request for the C2 server.
- If a lolbin is reaching out externally to an unknown domain, this could indicate a beacon or exfiltration over C2 channel, for more information on lolbins https://lolbas-project.github.io/

#### Analytic 1

  * **Information:** Find abnormal process network connections

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Sort processes to find less frequent occurences and potentially odd domains.  Keep in mind processes such as rundll32 that make network connections, but typically connect to Microsoft IPs.

  * **Query Pseudo:** ```event.code : 3 AND <destination is not internal to the network>```

#### Analytic 2

  * **Information:** Unless the C2 is reaching out to a hardcoded IP address, the process will create an event code 22 as a DNS request.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 
  * This is an extremely long and tedious hunt. The C2 server could be a CDN in which case filtering out all Majestic domains would miss the implants. 
  * If there is a process that is reaching out to a CDN with randomized subdomains for legitimate reasons filter out the entire path of the process, not just process name.
  
  * **Query:** `event.code: 22 AND NOT dns.question.name [domain] AND NOT process.executable [full path]` (note: it took about 210 extra exclude filters to drill down actual mission data to a manageable dataset, however, this single hunt managed to find every implant on the network that had communicated with C2.)


## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- TLS connection will make it difficult to analyze the HTTP body of a connection. Use metadata about the connection to gather information to correlate with other activity seen with the specified host or connection.
- Obfuscated Base64 data in HTTP connections should be investigated.
-  Encrypted connections over HTTP ports should be investigated.
- Suspicious domains that try to mimic well know websites (pandora, gmail, amazon, microsoft, etc) should not be over looked.
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server)
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
- Use Intel to generate possible IDS rules. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
- If trying to identify a beacon within a time window, (example, a single beacon, daily, for 2 weeks), you would be looking for 14 beacon sessions.

#### Analytic 1

  * **Information:** Identify HTTP POST with possible encoded/encrypted cookies.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** 
    * Combine this with successful http connections.
    * C2 can be used in a multitude of ways in HTTP to include cookies, user agent string, information in the body, etc. However, the C2 is usually obfuscated in some way which will be flagged by entropy.http. The analyst should then look at unique user agent strings, and cookies and determine if any could be obfuscated C2. Export unique on Arkime for the user-agent and cookie fields
    
 
  * **Query Arkime:** 
  
     * `protocols == http && ip.dst != [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]  && entropy.http == [6 ,7 8] && http.cookie.value == EXISTS!`
     * `protocols == http && ip.dst != [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]  && entropy.http == [6 ,7 8] && http.cookie.cnt >= 10`
     * `protocols == http && ip.dst != [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]  && entropy.http == [6 ,7 8] && http.user-agent == [begin filtering out normal]

  * **Query Kibana:** 
  
     * `protocols: http AND NOT ip.dst: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16] AND entropy.http: [6 ,7 8] AND http.cookie.value: EXISTS!`

#### Analytic 2

  * **Information:** Identify possible C2 communication over TLS using certificate metadata associated to the network connections

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** 
      * Identify the CA details that are associated to TLS connections. It is possible intel has identified IOCs related to CAs used by the adversary. Close attention to self-signed certs tags. Let's Encrypt is a common provider of self-signed certs.
      
      * Pay close attention to data byte size to a destination as it may be larger than the data being received, this may be an indication of data exfil.

      *  After identifying a tls session of interest, gather http.host info, cert issuer, subject organization. Eliminate traffic that has been identified as normal will help in filtering traffic.

      * Follow traffic and identify if a DNS request was ever made for a particular domain in question. Slowly review and eliminate traffic that has been cleared.

      * Replace "EXISTS!", "*", with specific data identified in previous queries. Here EXISTS! is being used as a place holder. Using EXISTS! will return a lot of data that may be difficult to filter through.

  * **Query Arkime:** ```protocols == tcp && ip.dst != [10/8, 172.16/12, 192.168/16] && cert.issuer.on == EXISTS! ```
     * `cert.issuer.on == [modify as needed]`
     * `cert.subject.on == [modify as needed]`
     * `cert.subject.cn == [modify as needed]`
     
  * **Query Kibana:** 
     * `cert.issuer.on: [modify as needed]`
     * `cert.subject.on: [modify as needed]`
     * `cert.subject.cn: [modify as needed]`