Adversaries often use established command and control (C2) channels to stealthily exfiltrate data. They embed stolen information within ongoing C2 traffic, concealing their actions. This technique, known as Exfiltration Over Command and Control Channel, is identified as MITRE ATT&CK® T1041. Detecting this requires vigilance to spot unusual data transfers before sensitive information is compromised. One method involves identifying network connections with large external data transfers, tracking the transfer duration. Another approach is to detect abnormally long DNS queries, potentially indicating DNS tunneling. Analyzing HTTP traffic for large, encoded payloads in plaintext format is also crucial. Monitoring for the execution of known post-exploitation tools, such as Cobalt Strike and Meterpreter, helps identify C2 activity. Detecting outbound traffic spikes over common C2 ports can further expose exfiltration attempts. Correlating suspicious domain lookups with process executions can reveal Tor-based C2 communications.