Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)
Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1048 | Exfiltration Over Alternative Protocol | |
| attribute.confidentiality.data_disclosure | None | related-to | T1048 | Exfiltration Over Alternative Protocol | |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel.
Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | 5 |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 5 |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 6 |