Exfiltration Over C2 Channel T1041
Tactic: Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Events covered
17 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 77 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (82 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (236 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (58 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 7 rules
- Equation Group C2 Communication
- macOS Network Upload Activity
- Network Communication Initiated To Portmap.IO Domain
- OpenCanary - TFTP Request
- Shai-Hulud NPM Package Malicious Exfiltration via Curl
- Tunneling Tool Execution
- Vice Society directory crawling script for data exfiltration (via ps_script)
Elastic 18 rules
- DNS Tunneling
- Network Activity Detected via Kworker
- Network Traffic to Rare Destination Country
- Potential Data Exfiltration Activity to an Unusual Destination Port
- Potential Data Exfiltration Activity to an Unusual IP Address
- Potential Data Exfiltration Activity to an Unusual ISO Code
- Potential Data Exfiltration Activity to an Unusual Region
- Spike in Firewall Denies
- Spike in host-based traffic
- Spike in Network Traffic
- Spike in Network Traffic To a Country
- Unusual AWS Command for a User
- Unusual Azure Activity Logs Event for a User
- Unusual GCP Event for a User
- Unusual Linux Network Activity
- Unusual Linux Network Port Activity
- Unusual Network Destination Domain Name
- Unusual Windows Network Activity
Splunk 13 rules
- Cisco ASA - Device File Copy to Remote Location
- Cisco Secure Firewall - High EVE Threat Confidence
- Cisco Secure Firewall - Intrusion Events by Threat Activity
- Cisco Secure Firewall - Lumma Stealer Download Attempt
- Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
- Cisco Secure Firewall - Potential Data Exfiltration
- Detect SNICat SNI Exfiltration
- Potential Telegram API Request Via CommandLine
- Powershell ICMP Data Exfiltration (PowerShell)
- Script Connected to External Destination - Windows (Sysmon)
- Script Connected to External Destination - Windows (Windows Event Log)
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Exfiltration Over C2 Via Powershell UploadString
Kusto 27 rules
- Abnormal Deny Rate for Source IP
- Abnormal Port to Protocol
- Cisco Cloud Security - Connection to non-corporate private network
- Cisco Cloud Security - Connection to Unpopular Website Detected
- Cisco Cloud Security - Crypto Miner User-Agent Detected
- Cisco Cloud Security - Rare User Agent Detected
- Cisco Cloud Security - Request Allowed to harmful/malicious URI category
- Detect presence of private IP addresses in URLs (ASIM Web Session)
- Excessive Blocked Traffic Events Generated by User
- Files Copied to USB Drives
- High severity malicious activity detected
- IP address of Windows host encoded in web request
- Multiple Sources Affected by the Same TI Destination
- Powershell Empire Cmdlets Executed in Command Line
- RecordedFuture Threat Hunting IP All Actors
- RunningRAT request parameters
- SonicWall - Allowed SSH, Telnet, and RDP Connections
- Ubiquiti - connection to non-corporate DNS server
- Ubiquiti - Large ICMP to external server
- Vectra Account's Behaviors
- Vectra AI Detect - Detections with High Severity
- Vectra AI Detect - Suspected Compromised Account
- Vectra AI Detect - Suspected Compromised Host
- Vectra AI Detect - Suspicious Behaviors by Category
- Vectra Host's Behaviors
- Website blocked by ESET
- Windows host username encoded in base64 web request
YARA-L 1 rule
Panther 11 rules
- Auth0 Delete Tenant Member
- GCP K8S Pod Create Or Modify Host Path Volume Mount
- Kubernetes Pod With HostPath Volume Mount
- Snowflake Data Exfiltration
- Snowflake Data Exfiltration
- Snowflake File Downloaded
- Snowflake File Downloaded
- Snowflake Table Copied Into Stage
- Snowflake Table Copied Into Stage
- Snowflake Temporary Stage Created
- Snowflake Temporary Stage Created