T1048

Exfiltration Over Alternative Protocol

Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data may be sent over FTP, SMTP, DNS, SMB, HTTP/S, or any other network protocol not serving as the primary C2 channel. Adversaries often encrypt or obfuscate these alternate channels. Common tools include curl, ftp.exe, WinSCP, and built-in OS utilities. DNS tunneling (encoding data in DNS query subdomains) is a particularly stealthy variant used by malware families like FrameworkPOS. IaaS and SaaS platforms (Exchange, SharePoint, GitHub, AWS S3) can also serve as exfiltration endpoints via cloud APIs or direct downloads.

Microsoft Sentinel / Defender

kusto

let ExfilTools = dynamic(["ftp.exe", "curl.exe", "winscp.exe", "pscp.exe", "sftp.exe", "ncftp.exe", "lftp", "wget.exe", "bitsadmin.exe", "robocopy.exe"]);
let SuspiciousFTPPatterns = dynamic(["-T ", "--upload-file", "PUT ", "STOR ", "ftp://", "sftp://", "ftps://"]);
let ExfilPorts = dynamic([21, 22, 25, 465, 587, 989, 990, 2222, 2121]);
// Branch 1: Suspicious exfil tool usage with upload indicators
let ToolBased = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ExfilTools)
| where ProcessCommandLine has_any (SuspiciousFTPPatterns)
    or ProcessCommandLine has_any ("-o ", "--output", "-F ", "--form", "smtp://", "smtps://", "--mail-from", "--mail-rcpt")
| extend DetectionBranch = "ExfilToolUpload"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: Outbound connections on exfil-relevant ports from non-standard processes
let NetworkBased = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where RemotePort in (ExfilPorts)
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe", "System",
         "Outlook.exe", "thunderbird.exe", "filezilla.exe", "winsshd.exe")
| where InitiatingProcessFileName !startswith "MicrosoftEdge"
| summarize BytesSent=sum(SentBytes), Connections=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| where BytesSent > 1048576 or Connections > 10
| extend DetectionBranch = "SuspiciousOutboundPort"
| project FirstSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteIP, RemotePort, RemoteUrl, BytesSent, Connections, DetectionBranch;
// Branch 3: DNS tunneling — long subdomains or high DNS query volume to single domain
let DNSTunneling = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsQueryResponse" or ActionType == "ConnectionSuccess"
| where RemotePort == 53
| where RemoteIPType == "Public"
| extend QueryLength = strlen(RemoteUrl)
| where QueryLength > 50
| summarize QueryCount=count(), MaxQueryLen=max(QueryLength), Domains=make_set(RemoteUrl, 20)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where QueryCount > 20 or MaxQueryLen > 100
| extend DetectionBranch = "DNSTunnelingSuspect"
| project Timestamp, DeviceName, InitiatingProcessFileName, QueryCount, MaxQueryLen, Domains, DetectionBranch;
ToolBased
| union NetworkBased
| union DNSTunneling
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

IT administrators using curl or WinSCP for legitimate file transfers to managed SFTP/FTP endpoints
Backup agents (Veeam, Commvault, Acronis) initiating large outbound transfers to cloud storage over non-HTTP protocols
DevOps pipelines using scp/sftp/ftp in CI/CD scripts for artifact deployment or release publishing
Security tools and vulnerability scanners performing outbound SMTP or FTP tests as part of scheduled assessments
Email clients (Outlook, Thunderbird) generating high SMTP/SMTPS traffic during mass mail campaigns or automated notifications

Splunk

spl

| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\ftp.exe" OR Image="*\\curl.exe" OR Image="*\\winscp.exe" OR Image="*\\pscp.exe"
   OR Image="*\\sftp.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\robocopy.exe")
| eval CommandLine=lower(CommandLine)
| eval UploadFlag=if(match(CommandLine, "(-t\s|--upload-file|\sput\s|\sstor\s|ftp://|sftp://|ftps://|-f\s|--form|smtp://|--mail-from|--mail-rcpt)"), 1, 0)
| where UploadFlag=1
| eval DetectionBranch="ExfilToolUpload"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*"
       OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*"
       OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
       OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*"
       OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
  (DestinationPort=21 OR DestinationPort=22 OR DestinationPort=25 OR DestinationPort=465
   OR DestinationPort=587 OR DestinationPort=989 OR DestinationPort=990 OR DestinationPort=2121)
  NOT (Image="*\\Outlook.exe" OR Image="*\\thunderbird.exe" OR Image="*\\filezilla.exe"
       OR Image="*\\svchost.exe" OR Image="*\\lsass.exe")
| stats sum(eval(if(isnum(SourcePort),1,0))) as Connections, values(DestinationIp) as DestIPs, values(DestinationPort) as DestPorts
    by host, User, Image, CommandLine, DestinationIp, DestinationPort
| where Connections > 5
| eval DetectionBranch="SuspiciousOutboundPort"
| table host, User, Image, CommandLine, DestIPs, DestPorts, Connections, DetectionBranch
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  NOT (QueryName="*.microsoft.com" OR QueryName="*.windows.com" OR QueryName="*.google.com"
       OR QueryName="*.amazon.com" OR QueryName="*.cloudfront.net")
| eval QueryLen=len(QueryName)
| where QueryLen > 50
| stats count as DNSQueryCount, max(QueryLen) as MaxQueryLen, values(QueryName) as Domains
    by host, User, Image, bin(_time, 3600)
| where DNSQueryCount > 20 OR MaxQueryLen > 100
| eval DetectionBranch="DNSTunnelingSuspect"
| table _time, host, User, Image, DNSQueryCount, MaxQueryLen, Domains, DetectionBranch
]

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Network Traffic: DNS Resolution Sysmon Event ID 1 Sysmon Event ID 3 Sysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators using curl or WinSCP for legitimate file transfers to managed SFTP/FTP endpoints
Backup agents initiating large outbound transfers to cloud storage over non-HTTP protocols
DevOps pipelines using scp/sftp in CI/CD scripts for artifact deployment
Security tools and vulnerability scanners performing SMTP or FTP tests during scheduled assessments
Long DNS hostnames used by CDN providers or cloud service discovery mechanisms (e.g., AWS service endpoints)

IBM QRadar (AQL)

sql

-- Branch 1: Exfil tool with upload indicators
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  "Process Name",
  "Command",
  'ExfilToolUpload' AS DetectionBranch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND QIDNAME(qid) LIKE '%Process Create%'
  AND (
    LOWER("Process Name") LIKE '%ftp.exe%'
    OR LOWER("Process Name") LIKE '%curl.exe%'
    OR LOWER("Process Name") LIKE '%winscp.exe%'
    OR LOWER("Process Name") LIKE '%pscp.exe%'
    OR LOWER("Process Name") LIKE '%sftp.exe%'
    OR LOWER("Process Name") LIKE '%bitsadmin.exe%'
    OR LOWER("Process Name") LIKE '%robocopy.exe%'
  )
  AND (
    LOWER("Command") LIKE '%-t %'
    OR LOWER("Command") LIKE '%--upload-file%'
    OR LOWER("Command") LIKE '% put %'
    OR LOWER("Command") LIKE '%ftp://%'
    OR LOWER("Command") LIKE '%sftp://%'
    OR LOWER("Command") LIKE '%ftps://%'
    OR LOWER("Command") LIKE '%smtp://%'
    OR LOWER("Command") LIKE '%--mail-from%'
    OR LOWER("Command") LIKE '%--mail-rcpt%'
  )
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 86400
UNION
-- Branch 2: Outbound connections on exfil ports from non-standard processes
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  "Process Name",
  "Command",
  'SuspiciousOutboundPort' AS DetectionBranch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND QIDNAME(qid) LIKE '%Network Connect%'
  AND destinationport IN (21, 22, 25, 465, 587, 989, 990, 2121, 2222)
  AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip LIKE '172.16.%' OR destinationip LIKE '127.%')
  AND NOT (
    LOWER("Process Name") LIKE '%svchost.exe%'
    OR LOWER("Process Name") LIKE '%lsass.exe%'
    OR LOWER("Process Name") LIKE '%outlook.exe%'
    OR LOWER("Process Name") LIKE '%thunderbird.exe%'
    OR LOWER("Process Name") LIKE '%filezilla.exe%'
  )
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 86400
UNION
-- Branch 3: DNS tunneling via long subdomain queries
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  "Process Name",
  "DNS Query" AS "Command",
  'DNSTunnelingSuspect' AS DetectionBranch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND QIDNAME(qid) LIKE '%DNS%'
  AND STRLEN("DNS Query") > 50
  AND NOT (
    "DNS Query" LIKE '%.microsoft.com'
    OR "DNS Query" LIKE '%.windows.com'
    OR "DNS Query" LIKE '%.google.com'
    OR "DNS Query" LIKE '%.amazon.com'
  )
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 86400
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via QRadar DSM QRadar Network Activity

Required Tables

events flows

False Positives

IT administrators using WinSCP or pscp.exe for legitimate file transfers to managed Linux servers — scope with approved source IPs or asset groups
CI/CD pipelines using curl to upload build artifacts to cloud storage (S3, Azure Blob) over port 443 — may match if port mapping triggers alt-port rules
DNS hostnames for cloud services or CDN providers with long CNAME chains exceeding the 50-char threshold — maintain an allowlist of known long-domain registrants

Sumo Logic CSE

sql

// Branch 1: Exfil tool with upload indicators (Sysmon Event ID 1)
_sourceCategory=windows/sysmon ("EventID=1" OR "<EventID>1</EventID>")
| parse "<Image>*</Image>" as Image
| parse "<CommandLine>*</CommandLine>" as CommandLine
| parse "<ParentImage>*</ParentImage>" as ParentImage
| parse "<User>*</User>" as User
| parse "<Computer>*</Computer>" as Computer
| where (
    Image matches "*ftp.exe" OR Image matches "*curl.exe" OR Image matches "*winscp.exe"
    OR Image matches "*pscp.exe" OR Image matches "*sftp.exe" OR Image matches "*bitsadmin.exe"
    OR Image matches "*robocopy.exe" OR Image matches "*wget.exe"
  )
| where (
    CommandLine matches "* -T *" OR CommandLine matches "*--upload-file*" OR CommandLine matches "* PUT *"
    OR CommandLine matches "*ftp://*" OR CommandLine matches "*sftp://*" OR CommandLine matches "*ftps://*"
    OR CommandLine matches "*smtp://*" OR CommandLine matches "*--mail-from*" OR CommandLine matches "*--mail-rcpt*"
    OR CommandLine matches "* -F *" OR CommandLine matches "*--form*"
  )
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage
| concat("ExfilToolUpload") as DetectionBranch

// Branch 2: Outbound network connections on exfil ports (Sysmon Event ID 3)
// Run as separate query:
// _sourceCategory=windows/sysmon ("EventID=3" OR "<EventID>3</EventID>")
// | parse "<DestinationIp>*</DestinationIp>" as DestinationIp
// | parse "<DestinationPort>*</DestinationPort>" as DestinationPort
// | parse "<Image>*</Image>" as Image
// | parse "<User>*</User>" as User
// | parse "<Computer>*</Computer>" as Computer
// | where DestinationPort in ("21","22","25","465","587","989","990","2121","2222")
// | where !( DestinationIp matches "10.*" OR DestinationIp matches "192.168.*" OR DestinationIp matches "172.1[6-9].*" OR DestinationIp matches "172.2[0-9].*" OR DestinationIp matches "172.3[0-1].*" OR DestinationIp matches "127.*")
// | where !( Image matches "*svchost.exe" OR Image matches "*lsass.exe" OR Image matches "*Outlook.exe" OR Image matches "*thunderbird.exe" OR Image matches "*filezilla.exe")
// | timeslice 1h
// | count as Connections by Computer, User, Image, DestinationIp, DestinationPort, _timeslice
// | where Connections > 5
// | concat("SuspiciousOutboundPort") as DetectionBranch

// Branch 3: DNS tunneling — long DNS query names (Sysmon Event ID 22)
// Run as separate query:
// _sourceCategory=windows/sysmon ("EventID=22" OR "<EventID>22</EventID>")
// | parse "<QueryName>*</QueryName>" as QueryName
// | parse "<Image>*</Image>" as Image
// | parse "<User>*</User>" as User
// | parse "<Computer>*</Computer>" as Computer
// | where length(QueryName) > 50
// | where !( QueryName matches "*.microsoft.com" OR QueryName matches "*.windows.com" OR QueryName matches "*.google.com" OR QueryName matches "*.amazon.com" OR QueryName matches "*.cloudfront.net")
// | timeslice 1h
// | count as DNSQueryCount, max(length(QueryName)) as MaxQueryLen by Computer, User, Image, _timeslice
// | where DNSQueryCount > 20 OR MaxQueryLen > 100
// | concat("DNSTunnelingSuspect") as DetectionBranch

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Sysmon Windows Event Log Source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate use of curl or wget by developers testing API endpoints with POST/PUT methods — add a process parent filter to exclude IDEs and terminals used by known developer accounts
Robocopy jobs replicating data to remote file shares over SMB — verify if DestinationPort 445 triggers and adjust port list accordingly
Cloud sync clients with long hostname CDN endpoints triggering the DNS query length threshold — maintain a domain allowlist and tune the 50-char threshold based on baseline DNS telemetry

Google Chronicle / SecOps

yaral

rule T1048_ExfilOverAlternativeProtocol {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects exfiltration over alternative protocols including FTP/SFTP/SMTP tool usage with upload indicators, outbound connections on exfil-relevant ports, and DNS tunneling via long subdomain queries."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1048"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Branch 1: Exfil tool with upload command-line indicators
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(ftp\.exe|curl\.exe|winscp\.exe|pscp\.exe|sftp\.exe|ncftp\.exe|wget\.exe|bitsadmin\.exe|robocopy\.exe)$`)
      )
      and (
        re.regex($e1.principal.process.command_line, `(?i)(\s-T\s|--upload-file|\sPUT\s|\sSTOR\s|ftp://|sftp://|ftps://|\s-F\s|--form|smtp://|smtps://|--mail-from|--mail-rcpt)`)
      )
    )
    or
    // Branch 2: Outbound connection on exfil ports from unexpected process
    (
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and (
        $e1.target.port = 21
        or $e1.target.port = 22
        or $e1.target.port = 25
        or $e1.target.port = 465
        or $e1.target.port = 587
        or $e1.target.port = 989
        or $e1.target.port = 990
        or $e1.target.port = 2121
        or $e1.target.port = 2222
      )
      and not net.ip_in_range_cidr($e1.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e1.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e1.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($e1.target.ip, "127.0.0.0/8")
      and not re.regex($e1.principal.process.file.full_path, `(?i)(svchost\.exe|lsass\.exe|services\.exe|Outlook\.exe|thunderbird\.exe|filezilla\.exe)$`)
    )
    or
    // Branch 3: DNS tunneling via long query names
    (
      $e1.metadata.event_type = "NETWORK_DNS"
      and strings.length($e1.network.dns.questions.name) > 50
      and not re.regex($e1.network.dns.questions.name, `(?i)(microsoft\.com|windows\.com|google\.com|amazon\.com|cloudfront\.net)$`)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Sysmon via Chronicle forwarder Endpoint Detection via Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION, NETWORK_DNS)

False Positives

Managed file transfer software (e.g., GoAnywhere, MOVEit) using SFTP on port 22 to authorized external partners — add principal.hostname or principal.ip allowlists for known MFT servers
DevOps tooling (Ansible, Terraform) using SSH on port 22 for remote execution against cloud infrastructure — exclude based on initiating process name and known CI/CD asset groups
DNS queries to cloud provider endpoints with long CNAME chains (e.g., AWS Route 53 health checks, Akamai edge nodes) — tune the 50-character threshold upward or add regex allowlist for known CDN patterns

CrowdStrike LogScale (CQL)

cql

// Branch 1: Exfil tool with upload indicators
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(ftp\.exe|curl\.exe|winscp\.exe|pscp\.exe|sftp\.exe|ncftp\.exe|wget\.exe|bitsadmin\.exe|robocopy\.exe)$/
| CommandLine = /(?i)(\s-T\s|--upload-file|\sPUT\s|\sSTOR\s|ftp:\/\/|sftp:\/\/|ftps:\/\/|\s-F\s|--form|smtp:\/\/|smtps:\/\/|--mail-from|--mail-rcpt)/
| rename(field=ComputerName, as="Hostname")
| rename(field=UserName, as="User")
| table(["@timestamp", Hostname, User, ImageFileName, CommandLine, ParentBaseFileName])
| eval DetectionBranch="ExfilToolUpload"

// Branch 2: Outbound connections on exfil ports from non-standard processes
// Run as separate saved search:
// #event_simpleName=NetworkConnectIP4
// | !(RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/ )
// | RemotePort in [21, 22, 25, 465, 587, 989, 990, 2121, 2222]
// | !(ImageFileName = /(svchost\.exe|lsass\.exe|services\.exe|Outlook\.exe|thunderbird\.exe|filezilla\.exe)$/i)
// | groupBy([ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort], function=[count(as=Connections), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
// | Connections > 5
// | eval DetectionBranch="SuspiciousOutboundPort"
// | table([FirstSeen, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort, Connections, DetectionBranch])

// Branch 3: DNS tunneling via long query names
// Run as separate saved search:
// #event_simpleName=DnsRequest
// | DomainName != /(?i)(microsoft\.com|windows\.com|google\.com|amazon\.com|cloudfront\.net)$/
// | DomainName = /^.{51,}/
// | groupBy([ComputerName, UserName, ImageFileName, bucket(field=@timestamp, span=1h)], function=[count(as=DNSQueryCount), max(length(DomainName), as=MaxQueryLen), collect(DomainName, limit=20, as=Domains)])
// | DNSQueryCount > 20 OR MaxQueryLen > 100
// | eval DetectionBranch="DNSTunnelingSuspect"
// | table([@timestamp, ComputerName, UserName, ImageFileName, DNSQueryCount, MaxQueryLen, Domains, DetectionBranch])

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale Falcon Sensor (Process, Network, DNS telemetry)

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

Security operations using Falcon's own curl-based tooling for threat intelligence enrichment — exclude by filtering on aid (agent ID) for known security workstations or process parent matching Falcon sensor binaries
Automated patching systems using bitsadmin.exe to download updates from Microsoft CDN — tune by adding a CommandLine allowlist for known Windows Update URLs and verifying RemotePort is 80/443 not the exfil port list
DNS queries to internal split-horizon DNS resolvers using long FQDN labels for lab or research environments — add a RemoteAddressIP4 allowlist for internal DNS servers and tune MaxQueryLen threshold based on baseline DnsRequest telemetry

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1048 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exfiltration Over Alternative Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Exfiltration

Popular Detections