Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF004.009
  • Created: 06th July 2026
  • Updated: 06th July 2026
  • MITRE ATT&CK®: T1041
  • Contributor: The ITM Team

Exfiltration via Command-and-Control Channel

A subject exfiltrates organizational data through an existing command-and-control channel established by malware, a remote access tool, backdoor, implant, agent, or unauthorized remote administration framework. The same communication pathway used to issue commands, maintain remote access, or control the compromised system is also used to transmit data outside the organization’s control.

 

This infringement may involve files, credentials, screenshots, system information, database exports, or other collected data being sent over HTTP/S, TCP, DNS, encrypted tunnels, or proprietary remote access protocols. Because the exfiltration occurs over an already established control channel, the data transfer may appear as part of existing outbound traffic rather than a separate upload or file-sharing event.