T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
| View on MITRE ATT&CK | T1048.003 |
|---|---|
| Tactic(s) | Exfiltration |
Data from MITRE ATT&CK®:
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Exfiltration Over Alternative Protocol - HTTP
Exfiltration Over Alternative Protocol - ICMP
Exfiltration Over Alternative Protocol - SMTP
Exfiltration Over Alternative Protocol - FTP - Rclone
Python3 http.server
Exfiltration Over Alternative Protocol - DNS
Exfiltration Over Alternative Protocol - HTTP
MAZE FTP Upload
Sigma Detections for this Technique
WebDav Client Execution Via Rundll32.EXE
WebDav Put Request
Suspicious Outbound SMTP Connections
Powershell Exfiltration Over SMTP
Suspicious DNS Query with B64 Encoded String
Suspicious WebDav Client Execution Via Rundll32.EXE
Data Exfiltration with Wget
PowerShell ICMP Exfiltration
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.