In "Hunting with Elastic Security: Exfiltration over C2 channel," Justin Higdon discusses the stealthy technique of exfiltrating data over Command and Control (C2) channels, as outlined by MITRE ATT&CK® T1041. This method allows adversaries to disguise data theft within legitimate C2 traffic, making it difficult to detect amidst the typical network noise. Higdon emphasizes the importance of understanding this technique to prevent sensitive data from being exfiltrated undetected. The article highlights the need for analyzing various data sources such as network traffic, process monitoring, DNS, and proxy logs to identify unusual patterns that could indicate exfiltration attempts. It provides strategies and specific Elastic Security Query Language (ES|QL) queries to detect covert activities, advocating for continuous monitoring and proactive threat hunting to enhance security defenses. The piece underscores the dynamic nature of cybersecurity threats and encourages leveraging resources from Elastic Security Labs to stay ahead of adversaries.