EXPLORE

← Back to Explore

T1048.003

Exfiltration Over Unencrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco) Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression a...

ESXiLinuxmacOSNetwork DevicesWindows

20

Detections

3

Sources

11

Threat Actors

BY SOURCE

9splunk_escu8sigma3elastic

PROCEDURES (15)

Persist2 detections

Auto-extracted: 2 detections for persist

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Unusual2 detections

Auto-extracted: 2 detections for unusual

Remote2 detections

Auto-extracted: 2 detections for remote

C21 detections

Auto-extracted: 1 detections for c2

Bypass1 detections

Auto-extracted: 1 detections for bypass

Http1 detections

Auto-extracted: 1 detections for http

Dns1 detections

Auto-extracted: 1 detections for dns

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Bypass1 detections

Auto-extracted: 1 detections for bypass

Email Security1 detections

Auto-extracted: 1 detections for email security

Command And Control1 detections

Auto-extracted: 1 detections for command and control

C21 detections

Auto-extracted: 1 detections for c2

THREAT ACTORS (11)

APT32 APT33 Contagious Interview FIN6 FIN8 Lazarus Group Mustang Panda OilRig Salt Typhoon Thrip Wizard Spider

DETECTIONS (20)

Cisco ASA - Device File Copy to Remote Location

Cisco Secure Firewall - Potential Data Exfiltration

Data Exfiltration with Wget

DNS Query Length With High Standard Deviation

File Transfer or Listener Established via Netcat

Gsuite Outbound Email With Attachment To External Domain

Multiple Archive Files Http Post Traffic

Netcat File Transfer or Listener Detected via Defend for Containers

Plain HTTP POST Exfiltrated Data

Potential Data Exfiltration Through Curl

PowerShell ICMP Exfiltration

Protocol or Port Mismatch

Python WebServer Execution - Linux

Suspicious DNS Query with B64 Encoded String

Suspicious Outbound SMTP Connections

Suspicious WebDav Client Execution Via Rundll32.EXE

WebDav Client Execution Via Rundll32.EXE

WebDav Put Request

Windows Rundll32 WebDAV Request

Windows Rundll32 WebDav With Network Connection