Exfiltration Over C2 Channel
Send data out through the C2 channel.
§ Where this technique fits
T1041 is catalogued under the Exfiltration tactic of the offensive-security kill-chain. It appears in 39 approved dossiers in the registry, typically at step 5.3 on average.
Authoritative reference: attack.mitre.org/techniques/T1041/.
§ Dossiers chaining this technique
- step 3 / 4
SharePoint / OneDrive public link enumeration → data dump
Bing / Grayhat Warfare reveals corporate SharePoint files shared 'with anyone' — financial docs, contracts, credentials in plaintext, etc.
- step 4 / 5
Flash-loan veCRV → capture Curve gauge → emission redirect
Snapshot voting on Curve gauges uses veCRV balance at a specific block. Borrow large CRV via flash-loan, lock for max veCRV, vote in attacker pool's favour, unlock (or accept the limit) — emissions redirected for the epoch.
- step 4 / 5
Open MongoDB → dump every collection
Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.
- step 4 / 4
EMV → Magstripe downgrade → card cloning
Many terminals still accept magstripe fallback when EMV chip 'fails'. Block / corrupt the chip read; terminal accepts cloned magstripe data captured earlier from a shimmer or skimmer.
- step 4 / 4
Signature replay across chains → token drain
EIP-2612 permit() signed without chainId / domain separator binding. Capture the off-chain signature on one chain and replay it on another to drain ERC-20 approvals.
- step 5 / 6
Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
- step 5 / 5
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- step 5 / 6
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- step 5 / 5
ERC-4626 first-depositor inflation → drain new deposits
Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.
- step 5 / 5
Unauth DICOM PACS → mass medical-image exfil
PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).
- step 5 / 5
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- step 5 / 5
MEV bot honeypot → drain searcher
Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.
- step 5 / 6
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- step 5 / 5
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
- step 5 / 5
SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
- step 5 / 5
Hardware wallet supply-chain tamper → pre-seeded seed
Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.
- step 5 / 6
Wallet drainer dApp → setApprovalForAll → instant theft
Victim connects their wallet to a phishing dApp (fake mint / fake airdrop). One click on 'Confirm' calls setApprovalForAll on every valuable NFT collection — drained moments later.
- step 5 / 5
DNS tunnel exfiltration in restricted egress
Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server.
- step 5 / 5
MITM unencrypted RTP → call eavesdropping
Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav.
- step 5 / 6
Cross-chain bridge validator-set bypass → mint wrapped tokens
Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.
- step 5 / 5
Indirect prompt injection via RAG document
Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.
- step 5 / 5
Single-packet race → coupon stacking
Coupon redemption check happens before the apply step. Send 20 redemptions in a single TCP packet — the app validates each in parallel and applies all of them.
- step 5 / 5
NoSQL injection → auth bypass → admin
Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check.
- step 6 / 6
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- step 6 / 6
Evil maid → sniff TPM unseal → decrypt BitLocker offline
Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.
- step 6 / 6
Multi-agent confused-deputy → tool-call escalation
User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.
- step 6 / 6
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- step 6 / 6
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- step 6 / 6
AXFR → discover shadow-IT staging → exploitable web app
DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.
- step 6 / 6
Reentrancy → drain vault contract
Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.
- step 6 / 6
Flash loan + oracle manipulation → drain DEX
DeFi contract reads spot price from a single pool. Borrow a flash loan, distort the pool, exploit the dependent contract while price is wrong, repay the loan in the same transaction.
- step 6 / 6
Flash-loan governance attack → DAO admin
Voting power = token balance at snapshot. Borrow enormous quantity via flash loan inside the snapshot tx, vote yourself in as admin, repay loan.
- step 6 / 6
Padding oracle → forge admin session cookie
App encrypts session cookies with AES-CBC and reveals padding-validity via a 500/200 differential. Decrypt the cookie, forge an admin cookie, log in without credentials.
- step 6 / 6
Exported ContentProvider → private data leak
App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.
- step 6 / 6
JWT RS256 → HS256 algorithm confusion → admin
Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.
- step 6 / 6
GraphQL introspection → BOLA → mass enum
GraphQL endpoint exposes its full schema. Discover an unauth'd or under-authorized resolver, enumerate every user's data by iterating IDs.
- step 6 / 6
HTTP request smuggling (CL.TE) → admin panel bypass
Frontend uses Content-Length, backend uses Transfer-Encoding. Smuggle a request whose path bypasses the frontend's authentication checks.
- step 6 / 6
Source map exposure → API key leak → cloud takeover
Public *.js.map files reveal un-minified source and inline-committed API keys (cloud provider, third-party services). Use the keys directly.
- step 7 / 7
POS network pivot → RAM-scraper → card data exfil
The Target 2013 / Home Depot 2014 chain: vendor foothold → flat payment-switch VLAN → drop a memory-scraping malware on POS terminals → exfil track data through a payment-switch host.
§ What commonly comes next
- 01Data Encrypted for Impactseen 3×T1486 · Impact
- 02Cross-Chain Bridge Exploitseen 1×W3-BRIDGE-EXPLOIT · Impact
- 03Donate-to-MEV Sandwichseen 1×DEFI-DONATE-MEV · Impact
- 04Hardcoded Secrets in JS Bundlesseen 1×W-RECON-JS-SECRETS · Reconnaissance
- 05Indicator Removalseen 1×T1070 · Defense Evasion
- 06Obfuscated Files or Informationseen 1×T1027 · Defense Evasion