Find sigma rule
Attack: Exfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
MITRE
Tactic
- exfiltration
technique
- T1041
Test : C2 Data Exfiltration
OS
- windows
Description:
Exfiltrates a file present on the victim machine to the C2 server.
Executor
powershell
Sigma Rule
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
-
posh_ps_script_with_upload_capabilities.yml (id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)