Skip to content

DET0348 Detection Strategy for Exfiltration Over C2 Channel

Item Value
ID DET0348
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1041 (Exfiltration Over C2 Channel)

Analytics

Windows

AN0988

Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Content (DC0085) NSM:Flow Flow/PCAP analysis for outbound payloads
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Mutable Elements
Field Description
DataVolumeThreshold Set threshold for outbound transfer size exceeding typical C2 traffic (e.g., >1MB in <5min).
KnownBenignProcesses List of approved processes that may exhibit high outbound traffic (e.g., updates).

Linux

AN0989

Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Connection Creation (DC0082) auditd:SYSCALL connect
Network Traffic Content (DC0085) NSM:Flow conn.log + files.log + ssl.log
Network Traffic Flow (DC0078) NSM:Flow session stats with bytes_out > bytes_in
Mutable Elements
Field Description
OutboundEntropyScore Threshold for high-entropy payloads indicative of encoded or encrypted exfil data.
ConnectionDuration Defines length of time over which transfer size must be aggregated to trigger detection.

macOS

AN0990

Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog eventMessage = ‘open’, ‘sendto’, ‘connect’
Network Traffic Flow (DC0078) macos:osquery socket_events
Process Creation (DC0032) macos:osquery process_events
Mutable Elements
Field Description
ParentProcessAncestry Enables defenders to tune legitimate vs. suspicious lineage (e.g., launchd → curl is uncommon).
ProtocolList Focus detection on unusual protocols (e.g., IRC, FTP, DNS over HTTPS).

ESXi

AN0991

Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:vpxa connection attempts and data transmission logs
Network Traffic Content (DC0085) esxi:vmkernel network stack module logs
File Access (DC0055) esxi:syslog guest OS outbound transfer logs
Mutable Elements
Field Description
GuestOSAllowList Limit detection to sensitive or externally-exposed VMs handling confidential data.
TransferSizeThresholdMB Minimum outbound transfer size before flagging anomalous C2-based exfiltration.
ProtocolAllowList Define expected protocols for outbound data (e.g., disallow FTP/SCP over high ports).