Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)
Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides protection from Exfiltration Over Alternative Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to steal data and/or encrypt or obfuscate alternate channels.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1048 | Exfiltration Over Alternative Protocol | |
| attribute.confidentiality.data_disclosure | None | related-to | T1048 | Exfiltration Over Alternative Protocol |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_dns | Alerts for DNS | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| azure_dns_analytics | Azure DNS Analytics | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control can identify anomalous / high talker DNS clients, possibly related to exfil via DNS
References
|
| azure_firewall | Azure Firewall | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides partial protection for this technique's sub-techniques and some of its procedure examples resulting in an overall Partial score.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
NSG can minimize alternative protocols allowed to communicate externally.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control can detect anomalous traffic with respect to specific protocols/ports.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.
References
|
| cloud_ids | Cloud IDS | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications.
Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.
References
|
| google_secops | Google Security Operations | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate exfiltration attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel.
Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | 27 |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 41 |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 43 |