title: Exfiltration Over C2 Channel (T1041)
id: df00tech-t1041
status: experimental
description: "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. This technique is particularly challenging to detect because exfiltration traffic is indistinguishable from regular C2 beaconing — adversaries embed collected data inside HTTP POST bodies, DNS query labels, custom binary protocol frames, or other C2 protocol fields. Detection requires correlating large outbound data volumes, repeated connection patterns, and sensitive file access rather than inspecting payload content. Real-world actors observed using this technique include Scattered Spider (VMware vCenter via Teleport), OilRig/APT34 (OneDrive-based C2), and malware families PoetRAT, Machete, Shark, StrelaStealer, BeaverTail, SLOTHFULMEDIA, Sagerunex, and Bandook. The technique spans Windows, Linux, macOS, and ESXi platforms and commonly exploits encrypted C2 channels (HTTPS, DNS-over-HTTPS) to blend with legitimate traffic."
references:
  - https://attack.mitre.org/techniques/T1041/
  - https://df00tech.com/detections/T1041
author: df00tech
date: 2026/04/17
tags:
  - attack.t1041
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup agents (Veeam, Backup Exec, Azure Backup) performing scheduled backups generate large outbound transfers to cloud storage endpoints"
  - "Log shippers and telemetry agents (Splunk Universal Forwarder, Elastic Agent, Datadog) make frequent high-volume connections to their ingestion endpoints"
  - "Cloud sync clients (OneDrive, Dropbox, Google Drive) continuously upload large volumes of data using common scripting engines on managed endpoints"
  - "Software update and patch management clients (SCCM, Intune, WSUS) sending device inventory telemetry over HTTPS to Microsoft infrastructure"
  - "Security scanners and vulnerability assessment tools (Qualys, Nessus agent) making high-frequency outbound connections during scan cycles"
level: high