T1048.002 Google Chronicle · YARA-L

Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in Google Chronicle

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1048_002_exfil_asymmetric_encrypted_non_c2 {
  meta:
    author = "Detection Engineering"
    description = "Detects exfiltration over asymmetrically encrypted non-C2 protocols (T1048.002) including SFTP, SCP, SMTPS, FTPS, and WebDAV. Correlates PROCESS_LAUNCH events for known exfiltration tools or suspicious shell/curl invocations with NETWORK_CONNECTION events to encrypted protocol ports on public IPs within a one-hour window per hostname."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1048.002"
    reference = "https://attack.mitre.org/techniques/T1048/002/"
    version = "1.0"

  events:
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e1.target.process.file.full_path, `(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe)`) or
      (
        re.regex($e1.target.process.file.full_path, `(?i)(powershell\.exe|cmd\.exe)`) and
        re.regex($e1.target.process.command_line, `(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)`)
      ) or
      (
        re.regex($e1.target.process.file.full_path, `(?i)(curl\.exe|wget\.exe)`) and
        re.regex($e1.target.process.command_line, `(?i)(--ssl|--tls|sftp://|ftps://|smtps://)`)
      )
    )

    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.principal.hostname = $e1.principal.hostname
    $e2.target.port in (22, 443, 465, 587, 990, 993, 8443, 21)
    not re.regex($e2.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)

  match:
    $e1.principal.hostname over 1h

  condition:
    $e1 and $e2
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1048.002 exfiltration over asymmetrically encrypted non-C2 protocols. Pairs PROCESS_LAUNCH UDM events for known exfiltration binaries (rclone, WinSCP, pscp, psftp, FileZilla, sftp, scp) or suspicious shell/curl command lines with NETWORK_CONNECTION UDM events to encrypted-protocol destination ports (22, 443, 465, 587, 990, 993, 8443, 21) on non-RFC1918 addresses, correlated by hostname within a sliding one-hour window.

Data Sources

Google Chronicle with Windows Sysmon via Forwarder AgentChronicle with CrowdStrike Falcon or Carbon Black EDR telemetryChronicle Unified Data Model (UDM)

Required Tables

UDM PROCESS_LAUNCH eventsUDM NETWORK_CONNECTION events

False Positives & Tuning

  • Legitimate administrative use of SFTP/SCP client tools for authorized file transfers to managed external servers, cloud VMs, or hosted infrastructure
  • Authorized rclone or WinSCP deployments performing scheduled or on-demand backups to approved cloud storage providers with known destination IPs
  • DevOps automation workflows invoking curl or wget over HTTPS to interact with external package repositories, APIs, or artifact upload endpoints
  • Email relay infrastructure components sending via SMTPS to external mail gateway services on ports 465 or 587 as part of normal mail flow
Download portable Sigma rule (.yml)

Other platforms for T1048.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rclone Exfiltration via SFTP

    Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.

  2. Test 2SCP File Transfer to External Host

    Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.

  3. Test 3PowerShell HTTPS Exfiltration via WebClient Upload

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.

  4. Test 4Rclone MEGA Cloud Storage Exfiltration Simulation

    Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.

  5. Test 5SMTPS Email Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1567.004Exfiltration Over WebhookT1560Archive Collected DataT1560.001Archive via UtilityT1074Data StagedT1029Scheduled TransferT1020Automated ExfiltrationT1005Data from Local SystemT1078Valid Accounts

Same Tactic: Exfiltration

Popular Detections