Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in Elastic Security
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.
MITRE ATT&CK
- Tactic
- Exfiltration
- Sub-technique
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1048/002/
Elastic Detection Query
sequence by host.name, process.entity_id with maxspan=1h
[process where event.type == "start" and
(
process.name : ("rclone.exe", "winscp.exe", "pscp.exe", "psftp.exe", "filezilla.exe", "sftp.exe", "scp.exe") or
(process.name : ("powershell.exe", "cmd.exe") and
process.command_line : ("*sftp*", "*scp *", "*smtps*", "*ftps*", "*webdav*", "*rclone*", "*winscp*")) or
(process.name : "curl.exe" and
process.command_line : ("*--ssl*", "*--tls*", "*sftp://*", "*ftps://*"))
)]
[network where event.type == "connection" and
destination.port in (22, 443, 465, 587, 990, 993, 8443, 21) and
not cidrMatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")]Detects T1048.002 exfiltration over asymmetrically encrypted non-C2 protocols using Elastic EQL sequences. Correlates PROCESS_LAUNCH events for known exfiltration tools (rclone, WinSCP, pscp, psftp, FileZilla, sftp, scp) or suspicious PowerShell/cmd/curl invocations with subsequent NETWORK_CONNECTION events targeting encrypted protocol ports (22/SFTP-SCP, 443/HTTPS, 465-587-993/SMTPS-IMAPS, 990/FTPS, 8443/HTTPS-alt) on public IP addresses within a one-hour window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SFTP/SCP use by system administrators or DevOps engineers for authorized file transfers to managed hosting services, cloud servers, or third-party SFTP vendors
- Automated backup solutions using rclone, WinSCP, or FileZilla configured to sync data to authorized cloud storage endpoints such as AWS S3 SFTP gateways, Google Drive, or OneDrive
- Software deployment pipelines using curl to upload build artifacts over HTTPS or SFTP to CI/CD servers, artifact repositories, or container registries
- Security scanning platforms or vulnerability assessment tools that initiate outbound HTTPS connections to external targets as part of authorized testing workflows
Other platforms for T1048.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rclone Exfiltration via SFTP
Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.
- Test 2SCP File Transfer to External Host
Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.
- Test 3PowerShell HTTPS Exfiltration via WebClient Upload
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.
- Test 4Rclone MEGA Cloud Storage Exfiltration Simulation
Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.
- Test 5SMTPS Email Exfiltration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.
References (10)
- https://attack.mitre.org/techniques/T1048/002/
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc.html
- https://rclone.org/docs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md
- https://www.rapid7.com/blog/post/2024/05/10/storm-1811-email-bombing-vishing-attacks/
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.