1. Home
  2. ATT&CK Techniques
  3. T1048 Exfiltration Over Alternative Protocol

T1048 Exfiltration Over Alternative Protocol Mappings

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)

Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1048 Exfiltration Over Alternative Protocol
attribute.confidentiality.data_disclosure None related-to T1048 Exfiltration Over Alternative Protocol

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
chrome_enterprise_premium Chrome Enterprise Premium technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.
References
  1. ['https://cloud.google.com/beyondcorp-enterprise/docs/overview']
cloud_ids Cloud IDS technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
  1. ['https://cloud.google.com/intrusion-detection-system'
  2. 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']
cloud_ngfw Cloud Next-Generation Firewall (NGFW)_ technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.
References
  1. ['https://cloud.google.com/firewalls']
google_secops Google Security Operations technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate exfiltration attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_guardduty Amazon GuardDuty technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel. Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.
References
  1. https://docs.aws.amazon.com/vpc/latest/userguide/security.html
aws_iot_device_defender AWS IoT Device Defender technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.
References
  1. https://aws.amazon.com/iot-device-defender/
  2. https://docs.aws.amazon.com/iot-device-defender
  3. https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions
  4. https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases
  5. https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics
  6. https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics
  7. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender
  8. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit
  9. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect
aws_network_firewall AWS Network Firewall technique_scores T1048 Exfiltration Over Alternative Protocol
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.
References
  1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol 5
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 5
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol 6