EXPLORE
Sign In
← Back to Explore
T1048

Exfiltration Over Alternative Protocol

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](http...

ESXiIaaSLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
31
Detections
3
Sources
2
Threat Actors

BY SOURCE

17elastic9sigma5splunk_escu

PROCEDURES (26)

Persist2 detections

Auto-extracted: 2 detections for persist

Bypass2 detections

Auto-extracted: 2 detections for bypass

Download2 detections

Auto-extracted: 2 detections for download

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

C21 detections

Auto-extracted: 1 detections for c2

Cloud1 detections

Auto-extracted: 1 detections for cloud

Dump1 detections

Auto-extracted: 1 detections for dump

Dns1 detections

Auto-extracted: 1 detections for dns

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Command And Control1 detections

Auto-extracted: 1 detections for command and control

C21 detections

Auto-extracted: 1 detections for c2

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Service1 detections

Auto-extracted: 1 detections for service

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Inject1 detections

Auto-extracted: 1 detections for inject

Remote1 detections

Auto-extracted: 1 detections for remote

Dump1 detections

Auto-extracted: 1 detections for dump

Dns1 detections

Auto-extracted: 1 detections for dns

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (2)

PlayTeamTNT

DETECTIONS (31)

Copy From Or To Admin Share Or Sysvol Folder
sigmamedium
Data Export From MSSQL Table Via BCP.EXE
sigmamedium
DNS Exfiltration Using Nslookup App
splunk_escu
DNS TOR Proxies
sigmamedium
Excessive Usage of NSLOOKUP App
splunk_escu
File Transfer or Listener Established via Netcat
elasticmedium
File Transfer Utility Launched from Unusual Parent
elasticmedium
Netcat File Transfer or Listener Detected via Defend for Containers
elasticmedium
Network Activity Detected via cat
elasticmedium
Network Traffic to Rare Destination Country
elasticlow
O365 DLP Rule Triggered
splunk_escu
Ollama Possible Model Exfiltration Data Leakage
splunk_escu
Potential Data Exfiltration Through Curl
elasticmedium
Potential Data Exfiltration Through Wget
elasticmedium
Potential Data Exfiltration via Rclone
elasticmedium
Potential Database Dumping Activity
elasticlow
Powershell DNSExfiltration
sigmahigh
Prohibited Network Traffic Allowed
splunk_escu
PUA - Restic Backup Tool Execution
sigmahigh
Rare SMB Connection to the Internet
elasticmedium
SMB (Windows File Sharing) Activity to the Internet
elasticmedium
SMTP on Port 26/TCP
elasticlow
Spike in host-based traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Suspicious Redirection to Local Admin Share
sigmahigh
Tap Driver Installation
sigmamedium
Tap Driver Installation - Security
sigmalow
Tap Installer Execution
sigmamedium
Unusual DNS Activity
elasticlow
Unusual Windows Network Activity
elasticlow
Windows Registry File Creation in SMB Share
elasticmedium