Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)
Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| AC-02 | Account Management | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| AC-20 | Use of External Systems | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| AC-23 | Data Mining Protection | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| AC-03 | Access Enforcement | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| AC-04 | Information Flow Enforcement | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| AC-06 | Least Privilege | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| CA-03 | Information Exchange | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| CA-07 | Continuous Monitoring | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| CM-02 | Baseline Configuration | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| CM-06 | Configuration Settings | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| CM-07 | Least Functionality | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SA-08 | Security and Privacy Engineering Principles | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SA-09 | External System Services | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SC-28 | Protection of Information at Rest | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SC-31 | Covert Channel Analysis | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SC-07 | Boundary Protection | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SI-10 | Information Input Validation | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SI-15 | Information Output Filtering | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SI-03 | Malicious Code Protection | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SI-04 | System Monitoring | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| SR-04 | Provenance | Protects | T1048 | Exfiltration Over Alternative Protocol | |
| PUR-IP-E5 | Information Protection | Technique Scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Protects from Exfiltration Over Alternative Protocol attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Exfiltration Over Alternative Protocol attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for newly constructed network connections.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | 12 |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 23 |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 23 |