Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0348: Detection Strategy for Exfiltration Over C2 Channel

DET0348 is a MITRE detection strategy associated with Exfiltration Over C2 Channel, where stolen data is sent through an existing command-and-control chann...

EnterpriseDET0348Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0348 is a MITRE detection strategy associated with Exfiltration Over C2 Channel, where stolen data is sent through an existing command-and-control channel rather than a separate transfer path. For leaders, the practical issue is that data loss may look like continued attacker communications, so coverage depends on whether teams can see, retain, and investigate suspicious outbound C2 traffic from enterprise platforms in scope.

Executive priority

Treat this as a data-loss and incident-response readiness question, not only a malware-detection question. Executives should ask whether the organization can prove visibility into outbound communications from Windows, Linux, macOS, and ESXi systems where relevant, and whether SOC and IR teams can distinguish routine network activity from possible exfiltration hidden inside an already-established C2 channel. This matters for breach scoping, regulatory evidence, and prioritizing egress monitoring and response playbooks.

Technical view

The supplied ATT&CK strategy has no official detection text, platforms, or tactics of its own, but it detects T1041, Exfiltration Over C2 Channel, under the exfiltration tactic. Detection engineering should therefore validate controls around outbound C2-like communications and data movement over the same protocol used for attacker control. Focus on whether telemetry can connect host identity, process or workload context where available, destination information, timing, volume, and session behavior across ESXi, Linux, macOS, and Windows assets in scope.

Likely telemetry

  • Network flow records for outbound sessions, including source, destination, ports, protocol, timing, and byte counts
  • Proxy, firewall, secure web gateway, or egress filtering logs where those controls observe outbound communications
  • DNS telemetry associated with destinations used by suspicious outbound sessions
  • Endpoint or workload telemetry that can associate outbound network activity with a host, user, process, or service where available
  • Incident response packet capture or session metadata for high-priority investigations, if collected and legally permitted

Detection direction

  • Validate that detections do not look only for separate exfiltration tools or file-transfer protocols; T1041 can use the existing C2 protocol/channel.
  • Baseline outbound traffic patterns for critical systems and investigate unusual volume, duration, timing, destination changes, or repeated encoded-looking transfers over established suspicious channels.
  • Correlate network indicators with host context to reduce false positives from legitimate administrative tools, backup activity, software updates, or approved remote management traffic.
  • Confirm visibility for the related technique platforms: ESXi, Linux, macOS, and Windows. Coverage gaps on server, virtualization, or non-Windows assets can materially weaken confidence.
  • Use relationship context carefully: this object is a detection strategy for T1041, but MITRE supplied no specific analytic logic, thresholds, or data source requirements for DET0348 itself.

Mitigation priorities

  • Prioritize egress visibility and control for systems that hold sensitive data or support critical operations.
  • Ensure incident response playbooks include data-exfiltration scoping when C2 activity is confirmed, including review of outbound volume and destinations.
  • Maintain asset and ownership context so SOC teams can quickly determine whether suspicious outbound traffic involves sensitive systems.
  • Review logging retention for network and endpoint telemetry so investigations can reconstruct suspected exfiltration over time.
  • Document control coverage and known blind spots for audit, breach notification readiness, and risk acceptance decisions.
Analyst notes and limits

The most decision-useful fact is the relationship: DET0348 detects T1041, Exfiltration Over C2 Channel. Because the strategy object itself lacks official description and detection content, the take emphasizes validation questions and telemetry classes rather than prescriptive analytics.

No official DET0348 description, detection logic, tactics, or platforms were supplied. Platform and tactic context comes only from the related T1041 technique. Local network architecture, logging coverage, retention, encryption inspection policy, and approved remote administration patterns are required before judging actual detection coverage.

Official MITRE ATT&CK definition

Detection Strategy for Exfiltration Over C2 Channel

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1041 Exfiltration Over C2 Channel This object detects Exfiltration Over C2 Channel.
Relationship explorer

All related ATT&CK context

detects · Technique T1041: Exfiltration Over C2 Channel Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
83d5f8bf8dc0f52c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 83d5f8bf8dc0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0348
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use