T1048.002

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.

Microsoft Sentinel / Defender

kusto

let ExfilTools = dynamic(["rclone.exe", "winscp.exe", "pscp.exe", "psftp.exe", "filezilla.exe", "sftp.exe", "scp.exe", "curl.exe", "wget.exe"]);
let ExfilKeywords = dynamic(["sftp", "scp ", "smtps", "ftps", "webdav", "rclone", "winscp", "put ", "mput", "--sftp", "--webdav", "ssl", "tls"]);
let LargeTransferThresholdMB = 10;
// Detection 1: Known exfiltration tools making outbound encrypted connections
let ExfilToolProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ExfilTools)
  or (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("sftp", "scp ", "rclone", "winscp"))
  or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("sftp", "scp", "smtps", "WebDAV", "ftps", "rclone"))
| extend ToolName = case(
    FileName =~ "rclone.exe", "Rclone",
    FileName =~ "winscp.exe", "WinSCP",
    FileName =~ "pscp.exe" or FileName =~ "scp.exe", "SCP",
    FileName =~ "psftp.exe" or FileName =~ "sftp.exe", "SFTP",
    FileName =~ "filezilla.exe", "FileZilla",
    ProcessCommandLine has "sftp", "SFTP",
    ProcessCommandLine has "scp ", "SCP",
    ProcessCommandLine has "rclone", "Rclone",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, ToolName;
// Detection 2: Large outbound HTTPS/SFTP/SCP connections
let ExfilNetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (443, 22, 465, 587, 990, 993, 8443, 21)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (ExfilTools)
  or InitiatingProcessCommandLine has_any (ExfilKeywords)
| summarize ConnectionCount=count(), BytesSent=sum(SentBytes), BytesReceived=sum(ReceivedBytes),
            UniqueRemoteIPs=dcount(RemoteIP), Ports=make_set(RemotePort),
            RemoteIPs=make_set(RemoteIP, 10)
  by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 1h)
| extend MBSent = round(toreal(BytesSent) / 1048576, 2)
| where MBSent > LargeTransferThresholdMB or ConnectionCount > 5
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, ConnectionCount, MBSent, UniqueRemoteIPs, Ports, RemoteIPs;
// Detection 3: Rclone-specific command line patterns
let RcloneActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rclone.exe"
| extend HasCopy = ProcessCommandLine has "copy" or ProcessCommandLine has "sync" or ProcessCommandLine has "move"
| extend HasRemote = ProcessCommandLine has ":" and (
    ProcessCommandLine has "sftp" or ProcessCommandLine has "s3" or
    ProcessCommandLine has "gdrive" or ProcessCommandLine has "onedrive" or
    ProcessCommandLine has "mega" or ProcessCommandLine has "box" or
    ProcessCommandLine has "dropbox" or ProcessCommandLine has "webdav"
  )
| where HasCopy or HasRemote
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, HasCopy, HasRemote;
union ExfilToolProcesses, ExfilNetworkEvents, RcloneActivity
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

IT administrators using WinSCP, FileZilla, or SCP for legitimate file transfers to managed servers
Backup software using SFTP/FTPS to transfer data to authorized cloud storage or DR sites
DevOps pipelines using Rclone or curl for legitimate artifact publishing to cloud storage (S3, Azure Blob, GCS)
Security teams running vulnerability scans or transferring forensic images via SFTP
Software update mechanisms that download or upload telemetry over HTTPS to vendor endpoints

Splunk

spl

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval ExfilTool=case(
    match(Image, "(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|sftp\.exe|scp\.exe|filezilla\.exe)"), 1,
    match(CommandLine, "(?i)(\\bsftp\\b|\\bscp\\b|smtps|ftps|webdav|rclone)"), 1,
    1=1, 0
  )
(
  (
    EventCode=1
    (
      match(Image, "(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|sftp\.exe|filezilla\.exe)")
      OR (match(Image, "(?i)powershell\.exe") AND match(CommandLine, "(?i)(sftp|smtps|webdav|ftps|rclone|scp)"))
      OR (match(Image, "(?i)cmd\.exe") AND match(CommandLine, "(?i)(sftp|scp|rclone|winscp)"))
      OR (match(Image, "(?i)curl\.exe") AND match(CommandLine, "(?i)(--ssl|--tls|https://|sftp://|ftps://)"))
    )
  )
  OR
  (
    EventCode=3
    (
      match(Image, "(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|sftp\.exe|filezilla\.exe|curl\.exe|wget\.exe)")
      OR match(CommandLine, "(?i)(sftp|smtps|webdav|ftps|rclone)")
    )
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
  )
)
| eval EventType=case(EventCode="1", "ProcessCreate", EventCode="3", "NetworkConnect", true(), "Other")
| eval Protocol=case(
    match(CommandLine, "(?i)sftp://") OR match(DestinationPort, "^22$"), "SFTP/SCP",
    match(CommandLine, "(?i)smtps"), "SMTPS",
    match(CommandLine, "(?i)ftps://") OR match(DestinationPort, "^990$"), "FTPS",
    match(CommandLine, "(?i)webdav"), "WebDAV/HTTPS",
    match(DestinationPort, "^443$") OR match(DestinationPort, "^8443$"), "HTTPS",
    match(DestinationPort, "^465$") OR match(DestinationPort, "^587$"), "SMTPS",
    match(DestinationPort, "^993$"), "IMAPS",
    true(), "Unknown"
  )
| eval RcloneCopy=if(match(Image, "(?i)rclone\.exe") AND match(CommandLine, "(?i)(copy|sync|move)"), 1, 0)
| eval RcloneRemote=if(match(Image, "(?i)rclone\.exe") AND match(CommandLine, "(?i)(sftp|s3|gdrive|onedrive|mega|box|dropbox|webdav)"), 1, 0)
| eval SuspicionScore=ExfilTool + RcloneCopy + RcloneRemote
| where SuspicionScore > 0 OR EventType="NetworkConnect"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EventType, Protocol, DestinationIp, DestinationPort, RcloneCopy, RcloneRemote, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators using WinSCP, FileZilla, or SCP for legitimate file transfers to managed servers
Backup software using SFTP/FTPS to transfer data to authorized cloud storage or DR sites
DevOps pipelines using Rclone or curl for legitimate artifact publishing to cloud storage (S3, Azure Blob, GCS)
Security teams running vulnerability scans or transferring forensic images via SFTP
Software update mechanisms that download or upload telemetry over HTTPS to vendor endpoints

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
       LOGSOURCENAME(logsourceid) AS LogSource,
       username,
       sourceip,
       destinationip,
       destinationport,
       "EventID",
       "Process Name" AS ProcessName,
       "CommandLine",
       CATEGORYNAME(category) AS Category
FROM events
WHERE LOGSOURCETYPEID IN (12, 229)
  AND (
    (
      "EventID" IN ('1', '4688')
      AND (
        "Process Name" IMATCHES '(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)'
        OR (
          "Process Name" IMATCHES '(?i)(powershell\.exe|cmd\.exe)'
          AND "CommandLine" IMATCHES '(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)'
        )
        OR (
          "Process Name" IMATCHES '(?i)curl\.exe'
          AND "CommandLine" IMATCHES '(?i)(--ssl|--tls|sftp://|ftps://)'
        )
      )
    )
    OR (
      "EventID" = '3'
      AND destinationport IN (22, 443, 465, 587, 990, 993, 8443, 21)
      AND (
        "Process Name" IMATCHES '(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)'
        OR "CommandLine" IMATCHES '(?i)(sftp|smtps|webdav|ftps|rclone)'
      )
      AND NOT (
        destinationip ILIKE '10.%'
        OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%' OR destinationip ILIKE '172.18.%'
        OR destinationip ILIKE '172.19.%' OR destinationip ILIKE '172.20.%' OR destinationip ILIKE '172.21.%'
        OR destinationip ILIKE '172.22.%' OR destinationip ILIKE '172.23.%' OR destinationip ILIKE '172.24.%'
        OR destinationip ILIKE '172.25.%' OR destinationip ILIKE '172.26.%' OR destinationip ILIKE '172.27.%'
        OR destinationip ILIKE '172.28.%' OR destinationip ILIKE '172.29.%' OR destinationip ILIKE '172.30.%'
        OR destinationip ILIKE '172.31.%'
        OR destinationip ILIKE '192.168.%'
        OR destinationip ILIKE '127.%'
      )
    )
  )
  AND LAST 24 HOURS
ORDER BY EventTime DESC

high severity high confidence

Data Sources

IBM QRadar with Windows Security Event Log DSM IBM QRadar with Sysmon Universal DSM

Required Tables

events

False Positives

Authorized use of WinSCP, FileZilla, or rclone by IT administrators for routine file transfer operations to managed external SFTP servers or cloud storage buckets
Automated backup jobs configured to run rclone or similar tools to push encrypted backups to approved cloud providers via SFTP or HTTPS
DevOps pipelines using curl or wget to push build artifacts over HTTPS to external container registries, artifact stores, or partner APIs
Security tooling performing encrypted callbacks to vendor SaaS infrastructure over standard HTTPS ports as part of licensed product operation

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode in ("1", "3") or EventID in ("1", "3")
| where (
    Image matches /(?i)(rclone|winscp|pscp|psftp|filezilla|sftp|scp|curl|wget)\.exe/
    or (Image matches /(?i)(powershell|cmd)\.exe/ and CommandLine matches /(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)/)
    or (Image matches /(?i)curl\.exe/ and CommandLine matches /(?i)(--ssl|--tls|sftp:\/\/|ftps:\/\/)/)
  )
| where EventCode != "3" or (
    DestinationPort in ("22","443","465","587","990","993","8443","21")
    and !(DestinationIp matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/)
  )
| eval Protocol = if(CommandLine matches /(?i)sftp:\/\//, "SFTP",
    if(CommandLine matches /(?i)\bscp\b/, "SCP",
    if(CommandLine matches /(?i)smtps/, "SMTPS",
    if(CommandLine matches /(?i)ftps:\/\//, "FTPS",
    if(CommandLine matches /(?i)webdav/, "WebDAV",
    if(DestinationPort == "22", "SSH/SFTP",
    if(DestinationPort == "443", "HTTPS",
    if(DestinationPort in ("465","587"), "SMTPS",
    if(DestinationPort == "990", "FTPS", "Unknown")))))))))
| eval RcloneCopy = if(Image matches /(?i)rclone\.exe/ and CommandLine matches /(?i)(copy|sync|move)/, "true", "false")
| eval RcloneRemote = if(Image matches /(?i)rclone\.exe/ and CommandLine matches /(?i)(sftp|s3|gdrive|onedrive|mega|box|dropbox|webdav)/, "true", "false")
| eval EventType = if(EventCode == "1" or EventID == "1", "ProcessCreate", if(EventCode == "3" or EventID == "3", "NetworkConnect", "Other"))
| fields _time, Computer, User, Image, CommandLine, ParentImage, EventType, Protocol, DestinationIp, DestinationPort, RcloneCopy, RcloneRemote
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic with Sysmon via Windows Event Forwarding Sumo Logic Endpoint Security Collection

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*endpoint*

False Positives

IT administrators using WinSCP or FileZilla for legitimate file transfers to authorized external SFTP servers or cloud-hosted storage
Automated rclone-based backup scripts running on a schedule to upload data to approved cloud storage providers such as Backblaze B2, Wasabi, or AWS S3
Development teams using curl or sftp in CI/CD pipeline scripts to deploy compiled artifacts to staging or production environments over encrypted channels
Email relay agents or applications using SMTPS on ports 465 or 587 for standard outbound encrypted email delivery to remote mail servers

Google Chronicle / SecOps

yaral

rule t1048_002_exfil_asymmetric_encrypted_non_c2 {
  meta:
    author = "Detection Engineering"
    description = "Detects exfiltration over asymmetrically encrypted non-C2 protocols (T1048.002) including SFTP, SCP, SMTPS, FTPS, and WebDAV. Correlates PROCESS_LAUNCH events for known exfiltration tools or suspicious shell/curl invocations with NETWORK_CONNECTION events to encrypted protocol ports on public IPs within a one-hour window per hostname."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1048.002"
    reference = "https://attack.mitre.org/techniques/T1048/002/"
    version = "1.0"

  events:
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e1.target.process.file.full_path, `(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe)`) or
      (
        re.regex($e1.target.process.file.full_path, `(?i)(powershell\.exe|cmd\.exe)`) and
        re.regex($e1.target.process.command_line, `(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)`)
      ) or
      (
        re.regex($e1.target.process.file.full_path, `(?i)(curl\.exe|wget\.exe)`) and
        re.regex($e1.target.process.command_line, `(?i)(--ssl|--tls|sftp://|ftps://|smtps://)`)
      )
    )

    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.principal.hostname = $e1.principal.hostname
    $e2.target.port in (22, 443, 465, 587, 990, 993, 8443, 21)
    not re.regex($e2.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)

  match:
    $e1.principal.hostname over 1h

  condition:
    $e1 and $e2
}

high severity high confidence

Data Sources

Google Chronicle with Windows Sysmon via Forwarder Agent Chronicle with CrowdStrike Falcon or Carbon Black EDR telemetry Chronicle Unified Data Model (UDM)

Required Tables

UDM PROCESS_LAUNCH events UDM NETWORK_CONNECTION events

False Positives

Legitimate administrative use of SFTP/SCP client tools for authorized file transfers to managed external servers, cloud VMs, or hosted infrastructure
Authorized rclone or WinSCP deployments performing scheduled or on-demand backups to approved cloud storage providers with known destination IPs
DevOps automation workflows invoking curl or wget over HTTPS to interact with external package repositories, APIs, or artifact upload endpoints
Email relay infrastructure components sending via SMTPS to external mail gateway services on ports 465 or 587 as part of normal mail flow

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2", "NetworkConnectIP4")
| case {
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
    | where ImageFileName = /(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)/
        OR (ImageFileName = /(?i)(powershell\.exe|cmd\.exe)/ AND CommandLine = /(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)/)
        OR (ImageFileName = /(?i)curl\.exe/ AND CommandLine = /(?i)(--ssl|--tls|sftp:\/\/|ftps:\/\/)/)
    | eval DetectionType = "ProcessExecution" ;

    #event_simpleName = "NetworkConnectIP4"
    | where RemotePort in (22, 443, 465, 587, 990, 993, 8443, 21)
    | where ImageFileName = /(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)/
    | where NOT RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
    | eval DetectionType = "NetworkConnection" ;
  }
| eval ToolName = case(
    ImageFileName = /(?i)rclone\.exe/, "Rclone",
    ImageFileName = /(?i)winscp\.exe/, "WinSCP",
    ImageFileName = /(?i)(pscp|scp)\.exe/, "SCP",
    ImageFileName = /(?i)(psftp|sftp)\.exe/, "SFTP",
    ImageFileName = /(?i)filezilla\.exe/, "FileZilla",
    CommandLine = /(?i)sftp/, "SFTP-via-Script",
    CommandLine = /(?i)rclone/, "Rclone-via-Script",
    true(), "Unknown"
  )
| eval RcloneCopy = if(ImageFileName = /(?i)rclone\.exe/ AND CommandLine = /(?i)(copy|sync|move)/, "true", "false")
| eval RcloneRemote = if(ImageFileName = /(?i)rclone\.exe/ AND CommandLine = /(?i)(sftp|s3|gdrive|onedrive|mega|box|dropbox|webdav)/, "true", "false")
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, RemoteAddressIP4, RemotePort, DetectionType, ToolName, RcloneCopy, RcloneRemote])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection with process and network telemetry CrowdStrike Falcon LogScale (formerly Humio)

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NetworkConnectIP4

False Positives

Authorized IT staff using rclone, WinSCP, or similar transfer tools for sanctioned data migration or backup operations to approved cloud endpoints or managed service providers
Development or DevOps workflows using sftp, scp, or curl to deploy application code or upload packages to remote servers as part of established CI/CD pipelines
Managed security or monitoring agents that communicate over HTTPS to vendor cloud infrastructure for telemetry upload, license validation, or policy retrieval
Endpoint backup agents configured to transmit encrypted backups via SFTP or HTTPS to off-site or cloud-hosted storage destinations on a scheduled basis

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Exfiltration

Popular Detections