T1041

Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. This technique is particularly challenging to detect because exfiltration traffic is indistinguishable from regular C2 beaconing — adversaries embed collected data inside HTTP POST bodies, DNS query labels, custom binary protocol frames, or other C2 protocol fields. Detection requires correlating large outbound data volumes, repeated connection patterns, and sensitive file access rather than inspecting payload content. Real-world actors observed using this technique include Scattered Spider (VMware vCenter via Teleport), OilRig/APT34 (OneDrive-based C2), and malware families PoetRAT, Machete, Shark, StrelaStealer, BeaverTail, SLOTHFULMEDIA, Sagerunex, and Bandook. The technique spans Windows, Linux, macOS, and ESXi platforms and commonly exploits encrypted C2 channels (HTTPS, DNS-over-HTTPS) to blend with legitimate traffic.

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
let MinBytesSent = 1048576; // 1 MB threshold — tune up for high-data environments
let MinConnectionCount = 20; // Repeated connections indicating active C2 with embedded data
let SuspiciousProcesses = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "python.exe", "python3.exe", "ruby.exe", "perl.exe",
    "curl.exe", "wget.exe", "bitsadmin.exe", "nc.exe"
]);
// Step 1: Identify processes with high outbound byte volume or high connection frequency to public IPs
let HighVolumeOutbound = DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
    or BytesSent > MinBytesSent
| summarize
    TotalBytesSent = sum(BytesSent),
    TotalBytesReceived = sum(BytesReceived),
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    RemoteIPs = make_set(RemoteIP, 5),
    RemotePorts = make_set(RemotePort, 5),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine
| where TotalBytesSent > MinBytesSent or ConnectionCount > MinConnectionCount;
// Step 2: Correlate with sensitive file reads (collect-then-exfil pattern)
let SensitiveFileReads = DeviceFileEvents
| where Timestamp > ago(TimeWindow)
| where ActionType == "FileRead"
| where FileName has_any (dynamic([".doc", ".docx", ".pdf", ".xlsx", ".xls", ".csv",
    ".zip", ".7z", ".tar", ".gz", ".kdbx", ".pfx", ".pem", ".key",
    ".db", ".sqlite", ".rdp", ".config", ".conf"]))
| summarize FilesRead = count(), SensitiveFileNames = make_set(FileName, 10)
    by DeviceName, InitiatingProcessId;
// Step 3: Join and score
HighVolumeOutbound
| join kind=leftouter SensitiveFileReads on DeviceName, InitiatingProcessId
| extend ExfilRatio = iff(TotalBytesReceived > 0,
    round(todouble(TotalBytesSent) / todouble(TotalBytesReceived), 2), 999.0)
| extend IsHighVolume = TotalBytesSent > MinBytesSent
| extend IsHighFrequency = ConnectionCount > MinConnectionCount
| extend IsSingleDestination = UniqueRemoteIPs == 1
| extend HasSensitiveFileAccess = isnotnull(FilesRead) and FilesRead > 0
| extend HighExfilRatio = ExfilRatio > 5.0
| extend ExfilScore = tolong(IsHighVolume) + tolong(IsHighFrequency)
    + tolong(IsSingleDestination) + tolong(HasSensitiveFileAccess) + tolong(HighExfilRatio)
| where ExfilScore >= 2
| project
    Timestamp = LastSeen,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    TotalBytesSent,
    TotalBytesReceived,
    ExfilRatio,
    ConnectionCount,
    UniqueRemoteIPs,
    RemoteIPs,
    RemotePorts,
    FilesRead,
    SensitiveFileNames,
    IsHighVolume,
    IsHighFrequency,
    IsSingleDestination,
    HasSensitiveFileAccess,
    ExfilScore
| sort by ExfilScore desc, TotalBytesSent desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow File: File Access Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceFileEvents

False Positives

Backup agents (Veeam, Backup Exec, Azure Backup) performing scheduled backups generate large outbound transfers to cloud storage endpoints
Log shippers and telemetry agents (Splunk Universal Forwarder, Elastic Agent, Datadog) make frequent high-volume connections to their ingestion endpoints
Cloud sync clients (OneDrive, Dropbox, Google Drive) continuously upload large volumes of data using common scripting engines on managed endpoints
Software update and patch management clients (SCCM, Intune, WSUS) sending device inventory telemetry over HTTPS to Microsoft infrastructure
Security scanners and vulnerability assessment tools (Qualys, Nessus agent) making high-frequency outbound connections during scan cycles

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 Initiated="true"
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
    OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
    OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
    OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
    OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
    OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
    OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
(Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe"
    OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
    OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe"
    OR Image="*\\curl.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe"
    OR Image="*\\bitsadmin.exe" OR Image="*\\nc.exe" OR Image="*\\ncat.exe")
| stats
    count as ConnectionCount,
    dc(DestinationIp) as UniqueRemoteIPs,
    values(DestinationIp) as RemoteIPList,
    values(DestinationPort) as RemotePorts,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, User, Image, CommandLine
| where ConnectionCount > 10
| eval SessionDurationSec = LastSeen - FirstSeen
| eval AvgBeaconIntervalSec = if(ConnectionCount > 1 AND SessionDurationSec > 0,
    round(SessionDurationSec / (ConnectionCount - 1), 0), null())
| eval IsRegularBeacon = if(AvgBeaconIntervalSec > 0 AND AvgBeaconIntervalSec < 300, 1, 0)
| eval IsHighFrequency = if(ConnectionCount > 50, 1, 0)
| eval IsSingleDestination = if(UniqueRemoteIPs == 1, 1, 0)
| eval ExfilScore = IsRegularBeacon + IsHighFrequency + IsSingleDestination
| where ExfilScore >= 2
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table _time, host, User, Image, CommandLine, RemoteIPList, UniqueRemoteIPs, RemotePorts,
    ConnectionCount, AvgBeaconIntervalSec, IsRegularBeacon, IsHighFrequency, IsSingleDestination, ExfilScore
| sort - ExfilScore, - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup agents performing scheduled backups using scripting engines will generate high-frequency regular connections to backup infrastructure
Log shippers and telemetry agents (Splunk UF, Elastic Agent) making frequent regular connections to their indexers — often exhibit perfect beacon-like regularity
Endpoint management tools (SCCM, Tanium, BigFix) checking in regularly from scripting engine processes create identical patterns to C2 beaconing
Security monitoring agents doing frequent heartbeat connections to management infrastructure
CI/CD pipeline runners and automation scripts making repeated API calls to cloud services

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(MIN(devicetime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
    DATEFORMAT(MAX(devicetime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
    sourceip AS DeviceIP,
    username AS AccountName,
    "Image" AS ProcessName,
    "CommandLine" AS ProcessCommandLine,
    COUNT(*) AS ConnectionCount,
    COUNT(DISTINCT destinationip) AS UniqueRemoteIPs,
    MIN(destinationip) AS SampleRemoteIP,
    MIN(destinationport) AS SampleRemotePort
FROM events
WHERE
    devicetime > NOW() - 86400000
    AND LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
    AND QIDNAME(qid) LIKE '%Network Connection%'
    AND (
        "Image" ILIKE '%\\powershell.exe'
        OR "Image" ILIKE '%\\pwsh.exe'
        OR "Image" ILIKE '%\\cmd.exe'
        OR "Image" ILIKE '%\\wscript.exe'
        OR "Image" ILIKE '%\\cscript.exe'
        OR "Image" ILIKE '%\\mshta.exe'
        OR "Image" ILIKE '%\\rundll32.exe'
        OR "Image" ILIKE '%\\regsvr32.exe'
        OR "Image" ILIKE '%\\certutil.exe'
        OR "Image" ILIKE '%\\python.exe'
        OR "Image" ILIKE '%\\python3.exe'
        OR "Image" ILIKE '%\\curl.exe'
        OR "Image" ILIKE '%\\wget.exe'
        OR "Image" ILIKE '%\\bitsadmin.exe'
        OR "Image" ILIKE '%\\nc.exe'
        OR "Image" ILIKE '%\\ncat.exe'
    )
    AND NOT INCIDR('10.0.0.0/8', destinationip)
    AND NOT INCIDR('172.16.0.0/12', destinationip)
    AND NOT INCIDR('192.168.0.0/16', destinationip)
    AND NOT INCIDR('127.0.0.0/8', destinationip)
    AND NOT INCIDR('169.254.0.0/16', destinationip)
GROUP BY sourceip, username, "Image", "CommandLine"
HAVING ConnectionCount > 10 OR COUNT(DISTINCT destinationip) = 1
ORDER BY ConnectionCount DESC

high severity medium confidence

Data Sources

QRadar DSM for Microsoft Windows (Sysmon Operational log) QRadar Network Activity (flow data for byte-volume correlation) Endpoint Detection and Response integration via QRadar SOAR

Required Tables

events

False Positives

PowerShell-based deployment tooling such as SCCM client actions or Azure Arc agent callbacks making frequent connections to a single management endpoint — whitelist the management server IP in the INCIDR exclusion list
certutil.exe used in software packaging scripts to download installers or verify certificate chains from a CDN — filter by CommandLine containing '-urlcache' combined with known software distribution domains
Python-based monitoring or ETL scripts polling a single cloud API endpoint at regular intervals — identify and exclude known scheduled task service accounts from the username filter

Sumo Logic CSE

sql

(_sourceCategory=*sysmon* OR _sourceCategory=*windows* OR _sourceCategory=*endpoint*) EventCode=3 Initiated=true
| where !(DestinationIp matches "10.*"
    OR DestinationIp matches "172.16.*" OR DestinationIp matches "172.17.*"
    OR DestinationIp matches "172.18.*" OR DestinationIp matches "172.19.*"
    OR DestinationIp matches "172.20.*" OR DestinationIp matches "172.21.*"
    OR DestinationIp matches "172.22.*" OR DestinationIp matches "172.23.*"
    OR DestinationIp matches "172.24.*" OR DestinationIp matches "172.25.*"
    OR DestinationIp matches "172.26.*" OR DestinationIp matches "172.27.*"
    OR DestinationIp matches "172.28.*" OR DestinationIp matches "172.29.*"
    OR DestinationIp matches "172.30.*" OR DestinationIp matches "172.31.*"
    OR DestinationIp matches "192.168.*" OR DestinationIp matches "127.*")
| where Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe"
    OR Image matches "*\\cmd.exe" OR Image matches "*\\wscript.exe"
    OR Image matches "*\\cscript.exe" OR Image matches "*\\mshta.exe"
    OR Image matches "*\\rundll32.exe" OR Image matches "*\\regsvr32.exe"
    OR Image matches "*\\certutil.exe" OR Image matches "*\\python.exe"
    OR Image matches "*\\python3.exe" OR Image matches "*\\curl.exe"
    OR Image matches "*\\wget.exe" OR Image matches "*\\bitsadmin.exe"
    OR Image matches "*\\nc.exe" OR Image matches "*\\ncat.exe"
| count as ConnectionCount, dcount(DestinationIp) as UniqueRemoteIPs,
    values(DestinationIp) as RemoteIPList,
    values(DestinationPort) as RemotePorts,
    min(_messageTime) as FirstSeenMs,
    max(_messageTime) as LastSeenMs
    by Computer, User, Image, CommandLine
| where ConnectionCount > 10
| eval SessionDurationSec = (LastSeenMs - FirstSeenMs) / 1000
| eval AvgBeaconIntervalSec = if(ConnectionCount > 1 AND SessionDurationSec > 0,
    round(SessionDurationSec / (ConnectionCount - 1), 0), null)
| eval IsRegularBeacon = if(AvgBeaconIntervalSec > 0 AND AvgBeaconIntervalSec < 300, 1, 0)
| eval IsHighFrequency = if(ConnectionCount > 50, 1, 0)
| eval IsSingleDestination = if(UniqueRemoteIPs == 1, 1, 0)
| eval ExfilScore = IsRegularBeacon + IsHighFrequency + IsSingleDestination
| where ExfilScore >= 2
| formatDate(fromMillis(FirstSeenMs), "yyyy-MM-dd HH:mm:ss") as FirstSeen
| formatDate(fromMillis(LastSeenMs), "yyyy-MM-dd HH:mm:ss") as LastSeen
| fields Computer, User, Image, CommandLine, ConnectionCount, UniqueRemoteIPs,
    RemoteIPList, RemotePorts, AvgBeaconIntervalSec, IsRegularBeacon,
    IsHighFrequency, IsSingleDestination, ExfilScore, FirstSeen, LastSeen
| sort by ExfilScore desc, ConnectionCount desc

high severity medium confidence

Data Sources

Sumo Logic Windows Collector (Sysmon Operational, EventCode 3) Sumo Logic Cloud SIEM Enterprise (CSE) normalized network schema Sumo Logic Installed Collector with Windows Event Log source

Required Tables

Sysmon Operational Event Log (EventCode 3 — Network Connection)

False Positives

Windows Update and antivirus signature update services polling a single CDN endpoint at a fixed schedule will achieve high IsRegularBeacon and IsSingleDestination scores — exclude known update agent process names and Microsoft/vendor IP ranges from the destination filter
Automated test frameworks using curl or Python scripts that hammer a single staging server endpoint during CI pipeline runs — filter by known CI runner hostnames or service account names in the User field
IT monitoring agents such as Zabbix, PRTG, or Nagios NRPE that beacon to a single management server at sub-5-minute intervals — add monitoring agent process names to a suppression list or exclude their management server IPs

Google Chronicle / SecOps

yaral

rule t1041_exfiltration_over_c2_channel {
  meta:
    author = "Detection Engineering"
    description = "Detects data exfiltration over C2 channels: suspicious interpreter and transfer-utility processes making high-volume or high-frequency outbound connections to public IPs, consistent with implants embedding stolen data inside C2 protocol traffic (HTTP POST bodies, DNS labels, custom binary frames)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "TA0010"
    mitre_attack_technique = "T1041"
    reference = "https://attack.mitre.org/techniques/T1041/"
    created = "2026-04-17"
    false_positives = "Backup agents, cloud sync clients, CI/CD pipelines"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.direction = "OUTBOUND"
    $net.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[23]?\.exe|ruby\.exe|perl\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|ncat?\.exe)/
    NOT net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    NOT net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    NOT net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    NOT net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    NOT net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")
    $hostname = $net.principal.hostname
    $process_path = $net.principal.process.file.full_path

  match:
    $hostname, $process_path over 24h

  outcome:
    $connection_count = count($net.metadata.id)
    $unique_dest_ips = count_distinct($net.target.ip)
    $total_bytes_sent = sum($net.network.sent_bytes)
    $total_bytes_received = sum($net.network.received_bytes)
    $dest_ip_list = array_distinct($net.target.ip)
    $dest_port_list = array_distinct($net.target.port)
    $is_high_volume = if($total_bytes_sent > 1048576, 1, 0)
    $is_high_frequency = if($connection_count > 20, 1, 0)
    $is_single_destination = if($unique_dest_ips == 1, 1, 0)
    $exfil_score = $is_high_volume + $is_high_frequency + $is_single_destination

  condition:
    $net and $exfil_score >= 2
}

high severity medium confidence

Data Sources

Google Chronicle Unified Data Model (UDM) — NETWORK_CONNECTION events Chronicle Forwarder with Windows Sysmon ingestion CrowdStrike Falcon via Chronicle integration Microsoft Defender for Endpoint via Chronicle ingestion

Required Tables

UDM Events (metadata.event_type = NETWORK_CONNECTION)

False Positives

PowerShell remoting (WinRM) sessions to a single management jumphost over extended work sessions score high on both IsHighFrequency and IsSingleDestination — add known management CIDR blocks to the NOT net.ip_in_range_cidr exclusions
Scripted data ingestion pipelines using curl or python that bulk-upload telemetry to a single SaaS observability endpoint (Datadog, Splunk HEC, Elastic Cloud) — exclude by matching process command-line regex against known upload endpoint hostnames
certutil.exe legitimately used in software packaging to download installers from a CDN will appear as high-frequency single-destination — filter by CommandLine containing '-urlcache' paired with known software vendor domains

CrowdStrike LogScale (CQL)

cql

#event_simpleName = NetworkConnectIP4
| !cidr(RemoteIP, subnet="10.0.0.0/8")
| !cidr(RemoteIP, subnet="172.16.0.0/12")
| !cidr(RemoteIP, subnet="192.168.0.0/16")
| !cidr(RemoteIP, subnet="127.0.0.0/8")
| !cidr(RemoteIP, subnet="169.254.0.0/16")
| regex("(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[23]?\.exe|ruby\.exe|perl\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|ncat?\.exe)", field=ImageFileName)
| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine],
    function=[
      count(as=ConnectionCount),
      countDistinct(RemoteIP, as=UniqueRemoteIPs),
      collect(RemoteIP, limit=10, as=RemoteIPList),
      collect(RemotePort, limit=10, as=RemotePorts),
      sum(BytesSent, as=TotalBytesSent),
      sum(BytesReceived, as=TotalBytesReceived),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| IsHighVolume := if(TotalBytesSent > 1048576, 1, 0)
| IsHighFrequency := if(ConnectionCount > 20, 1, 0)
| IsSingleDestination := if(UniqueRemoteIPs == 1, 1, 0)
| SafeBytesReceived := if(TotalBytesReceived > 0, TotalBytesReceived, 1)
| ExfilRatio := TotalBytesSent / SafeBytesReceived
| HighExfilRatio := if(ExfilRatio > 5.0, 1, 0)
| ExfilScore := IsHighVolume + IsHighFrequency + IsSingleDestination + HighExfilRatio
| ExfilScore >= 2
| SessionDurationSec := (LastSeen - FirstSeen) / 1000
| AvgBeaconIntervalSec := if(ConnectionCount > 1 AND SessionDurationSec > 0,
    round(SessionDurationSec / (ConnectionCount - 1)), null())
| sort(ExfilScore, order=desc)
| select([ComputerName, UserName, ImageFileName, CommandLine, ConnectionCount,
    UniqueRemoteIPs, RemoteIPList, RemotePorts, TotalBytesSent, TotalBytesReceived,
    ExfilRatio, AvgBeaconIntervalSec, IsHighVolume, IsHighFrequency,
    IsSingleDestination, HighExfilRatio, ExfilScore, FirstSeen, LastSeen])

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) — NetworkConnectIP4 events CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale LogScale with Falcon SIEM Connector

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself (CSFalconService) communicating with Falcon cloud infrastructure — exclude by adding ImageFileName matches for the Falcon sensor binary or CrowdStrike's published cloud IP ranges to the CIDR exclusion filters
PowerShell DSC (Desired State Configuration) or Invoke-WebRequest in large-scale configuration management deployments making frequent calls to a single management endpoint — whitelist known management server IPs or SCCM/Ansible controller source IPs
Python-based ML or data science workloads downloading training datasets or pushing model artifacts to cloud object storage with high byte-volume ratios — filter by data science workstation hostname patterns or known cloud provider IP CIDR blocks (AWS S3, GCS, Azure Blob)

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1041 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exfiltration Over C2 Channel

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Exfiltration

Popular Detections