Detect Exfiltration Over C2 Channel in Google Chronicle
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. This technique is particularly challenging to detect because exfiltration traffic is indistinguishable from regular C2 beaconing — adversaries embed collected data inside HTTP POST bodies, DNS query labels, custom binary protocol frames, or other C2 protocol fields. Detection requires correlating large outbound data volumes, repeated connection patterns, and sensitive file access rather than inspecting payload content. Real-world actors observed using this technique include Scattered Spider (VMware vCenter via Teleport), OilRig/APT34 (OneDrive-based C2), and malware families PoetRAT, Machete, Shark, StrelaStealer, BeaverTail, SLOTHFULMEDIA, Sagerunex, and Bandook. The technique spans Windows, Linux, macOS, and ESXi platforms and commonly exploits encrypted C2 channels (HTTPS, DNS-over-HTTPS) to blend with legitimate traffic.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1041 Exfiltration Over C2 Channel
- Canonical reference
- https://attack.mitre.org/techniques/T1041/
YARA-L Detection Query
rule t1041_exfiltration_over_c2_channel {
meta:
author = "Detection Engineering"
description = "Detects data exfiltration over C2 channels: suspicious interpreter and transfer-utility processes making high-volume or high-frequency outbound connections to public IPs, consistent with implants embedding stolen data inside C2 protocol traffic (HTTP POST bodies, DNS labels, custom binary frames)"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "TA0010"
mitre_attack_technique = "T1041"
reference = "https://attack.mitre.org/techniques/T1041/"
created = "2026-04-17"
false_positives = "Backup agents, cloud sync clients, CI/CD pipelines"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.network.direction = "OUTBOUND"
$net.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[23]?\.exe|ruby\.exe|perl\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|ncat?\.exe)/
NOT net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
NOT net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
NOT net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
NOT net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
NOT net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")
$hostname = $net.principal.hostname
$process_path = $net.principal.process.file.full_path
match:
$hostname, $process_path over 24h
outcome:
$connection_count = count($net.metadata.id)
$unique_dest_ips = count_distinct($net.target.ip)
$total_bytes_sent = sum($net.network.sent_bytes)
$total_bytes_received = sum($net.network.received_bytes)
$dest_ip_list = array_distinct($net.target.ip)
$dest_port_list = array_distinct($net.target.port)
$is_high_volume = if($total_bytes_sent > 1048576, 1, 0)
$is_high_frequency = if($connection_count > 20, 1, 0)
$is_single_destination = if($unique_dest_ips == 1, 1, 0)
$exfil_score = $is_high_volume + $is_high_frequency + $is_single_destination
condition:
$net and $exfil_score >= 2
}Chronicle YARA-L 2.0 rule that matches UDM NETWORK_CONNECTION events over a 24-hour sliding window, grouping by hostname and process path. Scores each group on three behavioral axes — outbound byte volume (>1 MB), connection frequency (>20), and destination consolidation (single IP) — triggering when two or more axes are positive. Mirrors the KQL scoring model using native Chronicle UDM fields and CIDR exclusion functions.
Data Sources
Required Tables
False Positives & Tuning
- PowerShell remoting (WinRM) sessions to a single management jumphost over extended work sessions score high on both IsHighFrequency and IsSingleDestination — add known management CIDR blocks to the NOT net.ip_in_range_cidr exclusions
- Scripted data ingestion pipelines using curl or python that bulk-upload telemetry to a single SaaS observability endpoint (Datadog, Splunk HEC, Elastic Cloud) — exclude by matching process command-line regex against known upload endpoint hostnames
- certutil.exe legitimately used in software packaging to download installers from a CDN will appear as high-frequency single-destination — filter by CommandLine containing '-urlcache' paired with known software vendor domains
Other platforms for T1041
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell HTTP POST Exfiltration Over Simulated C2 Channel
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing Invoke-WebRequest, -Method POST, and http://127.0.0.1:8080/beacon. Sysmon Event ID 3: Network Connection — powershell.exe connecting to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 capturing the full script including the base64-encoded data construction. DeviceNetworkEvents in MDE: ConnectionSuccess or ConnectionFailed (depending on listener) with InitiatingProcessFileName=powershell.exe, RemoteIP=127.0.0.1, RemotePort=8080.
- Test 2curl Multi-Connection Data Exfiltration Beaconing Pattern
Expected signal: 25x Sysmon Event ID 3: Network Connection events with Image=curl.exe (or full path), DestinationIp=127.0.0.1, DestinationPort=8080, Initiated=true. DeviceNetworkEvents: 25 ConnectionSuccess/ConnectionFailed records for curl.exe to 127.0.0.1:8080. The aggregate ConnectionCount of 25 crosses the MinConnectionCount=20 threshold in the KQL detection query. SPL ExfilScore increases as IsHighFrequency becomes 1 once count exceeds 20.
- Test 3DNS Data Exfiltration via Encoded Subdomain Labels
Expected signal: Sysmon Event ID 22 (DNS Query): 10 DNS query events with QueryName containing 40-55 character first labels encoding the Base64 data, initiated by nslookup.exe. The DNS hunting query triggers on LongestLabel > 40 and QueryCount > 5 from the same process. Windows DNS Client Event Log may also record the queries. The queries will fail to resolve (no listener on 127.0.0.1:53) but the Sysmon Event ID 22 fires on the query attempt regardless.
- Test 4Linux curl Data Exfiltration via HTTP POST
Expected signal: auditd: SYSCALL records for execve (curl), connect() calls to 127.0.0.1:8080, and read() on /etc/hostname and /proc. Sysmon for Linux Event ID 3: Network Connection events for curl process. Linux audit log (if auditd configured with network rules): socket()/connect() syscalls from curl with destination 127.0.0.1:8080. CommonSecurityLog or Syslog in Sentinel if auditd logs are forwarded: 15 connection records with consistent user-agent string indicating automated beaconing. The deceptive Windows user-agent string on a Linux process is itself anomalous.
References (12)
- https://attack.mitre.org/techniques/T1041/
- https://www.mandiant.com/resources/blog/scattered-spider-vmware-vsphere
- https://www.welivesecurity.com/2023/12/14/eset-apt-activity-report-t22023/
- https://blog.talosintelligence.com/talos-poet-rat/
- https://www.clearskysec.com/siamesekitten/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.cisa.gov/sites/default/files/publications/MAR-10303405-1.v1.WHITE.pdf
- https://unit42.paloaltonetworks.com/mechaFlounder/
Unlock Pro Content
Get the full detection package for T1041 including response playbook, investigation guide, and atomic red team tests.