Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in Microsoft Sentinel
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.
MITRE ATT&CK
- Tactic
- Exfiltration
- Sub-technique
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1048/002/
KQL Detection Query
let ExfilTools = dynamic(["rclone.exe", "winscp.exe", "pscp.exe", "psftp.exe", "filezilla.exe", "sftp.exe", "scp.exe", "curl.exe", "wget.exe"]);
let ExfilKeywords = dynamic(["sftp", "scp ", "smtps", "ftps", "webdav", "rclone", "winscp", "put ", "mput", "--sftp", "--webdav", "ssl", "tls"]);
let LargeTransferThresholdMB = 10;
// Detection 1: Known exfiltration tools making outbound encrypted connections
let ExfilToolProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ExfilTools)
or (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("sftp", "scp ", "rclone", "winscp"))
or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("sftp", "scp", "smtps", "WebDAV", "ftps", "rclone"))
| extend ToolName = case(
FileName =~ "rclone.exe", "Rclone",
FileName =~ "winscp.exe", "WinSCP",
FileName =~ "pscp.exe" or FileName =~ "scp.exe", "SCP",
FileName =~ "psftp.exe" or FileName =~ "sftp.exe", "SFTP",
FileName =~ "filezilla.exe", "FileZilla",
ProcessCommandLine has "sftp", "SFTP",
ProcessCommandLine has "scp ", "SCP",
ProcessCommandLine has "rclone", "Rclone",
"Unknown"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, ToolName;
// Detection 2: Large outbound HTTPS/SFTP/SCP connections
let ExfilNetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (443, 22, 465, 587, 990, 993, 8443, 21)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (ExfilTools)
or InitiatingProcessCommandLine has_any (ExfilKeywords)
| summarize ConnectionCount=count(), BytesSent=sum(SentBytes), BytesReceived=sum(ReceivedBytes),
UniqueRemoteIPs=dcount(RemoteIP), Ports=make_set(RemotePort),
RemoteIPs=make_set(RemoteIP, 10)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 1h)
| extend MBSent = round(toreal(BytesSent) / 1048576, 2)
| where MBSent > LargeTransferThresholdMB or ConnectionCount > 5
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, ConnectionCount, MBSent, UniqueRemoteIPs, Ports, RemoteIPs;
// Detection 3: Rclone-specific command line patterns
let RcloneActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rclone.exe"
| extend HasCopy = ProcessCommandLine has "copy" or ProcessCommandLine has "sync" or ProcessCommandLine has "move"
| extend HasRemote = ProcessCommandLine has ":" and (
ProcessCommandLine has "sftp" or ProcessCommandLine has "s3" or
ProcessCommandLine has "gdrive" or ProcessCommandLine has "onedrive" or
ProcessCommandLine has "mega" or ProcessCommandLine has "box" or
ProcessCommandLine has "dropbox" or ProcessCommandLine has "webdav"
)
| where HasCopy or HasRemote
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, HasCopy, HasRemote;
union ExfilToolProcesses, ExfilNetworkEvents, RcloneActivity
| sort by Timestamp descDetects data exfiltration over asymmetric encrypted protocols (HTTPS, SFTP, SCP, SMTPS, FTPS, WebDAV) using Microsoft Defender for Endpoint tables. Identifies known exfiltration tools (Rclone, WinSCP, pscp, sftp), suspicious command-line patterns invoking encrypted transfer protocols, and network connections to public IPs on encrypted transfer ports with significant data volumes. Combines process creation telemetry with network event correlation.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators using WinSCP, FileZilla, or SCP for legitimate file transfers to managed servers
- Backup software using SFTP/FTPS to transfer data to authorized cloud storage or DR sites
- DevOps pipelines using Rclone or curl for legitimate artifact publishing to cloud storage (S3, Azure Blob, GCS)
- Security teams running vulnerability scans or transferring forensic images via SFTP
- Software update mechanisms that download or upload telemetry over HTTPS to vendor endpoints
Other platforms for T1048.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rclone Exfiltration via SFTP
Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.
- Test 2SCP File Transfer to External Host
Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.
- Test 3PowerShell HTTPS Exfiltration via WebClient Upload
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.
- Test 4Rclone MEGA Cloud Storage Exfiltration Simulation
Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.
- Test 5SMTPS Email Exfiltration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.
References (10)
- https://attack.mitre.org/techniques/T1048/002/
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc.html
- https://rclone.org/docs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md
- https://www.rapid7.com/blog/post/2024/05/10/storm-1811-email-bombing-vishing-attacks/
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.