What starting position does this attack require?

The first step is Bulk download to attacker storage (T1041) — a exfiltration primitive. Assumed environment: target hospital exposes its PACS to the corporate LAN with default AE titles and no authentication.

What is the final impact of this kill-chain?

The final step lands on DICOM C-ECHO handshake (HC-DICOM-CSTORE), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Unauth DICOM PACS → mass medical-image exfil

PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Exfiltration

Bulk download to attacker storage

T1041 · Exfiltration Over C2 Channel

Discovery

C-FIND every patient study

T1087 · Account Discovery

Discovery

Find PACS via DICOM port scan

N-NMAP-INTERNAL · Internal Nmap Sweep

Collection

C-MOVE images to attacker SCP

HC-DICOM-CSTORE · DICOM C-STORE Unauth Access

Collection

DICOM C-ECHO handshake

HC-DICOM-CSTORE · DICOM C-STORE Unauth Access

§ Context

Assumed environment: target hospital exposes its PACS to the corporate LAN with default AE titles and no authentication. (Shodan still finds public PACS too.)

§ Steps

01
Bulk download to attacker storageExfiltration
T1041— Exfiltration Over C2 Channel
02
C-FIND every patient studyDiscovery
T1087— Account Discovery
03
Find PACS via DICOM port scanDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep
04
C-MOVE images to attacker SCPCollection
HC-DICOM-CSTORE— DICOM C-STORE Unauth Access
05
DICOM C-ECHO handshakeCollection
HC-DICOM-CSTORE— DICOM C-STORE Unauth Access

§ References

T1041Exfiltration Over C2 Channel
T1087Account Discovery

§ Frequently asked

What is the "Unauth DICOM PACS → mass medical-image exfil" attack path?: PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII). It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Bulk download to attacker storage (T1041) — a exfiltration primitive. Assumed environment: target hospital exposes its PACS to the corporate LAN with default AE titles and no authentication.
What is the final impact of this kill-chain?: The final step lands on DICOM C-ECHO handshake (HC-DICOM-CSTORE), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Unauth DICOM PACS → mass medical-image exfil

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

BACnet HVAC → disrupt building operations

z/OS TN3270 → RACF userID brute → mainframe shell

Open MongoDB → dump every collection

Reachable Modbus PLC → direct register override

Open ADB on the network → device shell