Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1048 | Exfiltration Over Alternative Protocol |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel.
Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1048 | Exfiltration Over Alternative Protocol |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 16 |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | 16 |
| T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 17 |