Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in Splunk
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.
MITRE ATT&CK
- Tactic
- Exfiltration
- Sub-technique
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1048/002/
SPL Detection Query
index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval ExfilTool=case(
match(Image, "(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|sftp\.exe|scp\.exe|filezilla\.exe)"), 1,
match(CommandLine, "(?i)(\\bsftp\\b|\\bscp\\b|smtps|ftps|webdav|rclone)"), 1,
1=1, 0
)
(
(
EventCode=1
(
match(Image, "(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|sftp\.exe|filezilla\.exe)")
OR (match(Image, "(?i)powershell\.exe") AND match(CommandLine, "(?i)(sftp|smtps|webdav|ftps|rclone|scp)"))
OR (match(Image, "(?i)cmd\.exe") AND match(CommandLine, "(?i)(sftp|scp|rclone|winscp)"))
OR (match(Image, "(?i)curl\.exe") AND match(CommandLine, "(?i)(--ssl|--tls|https://|sftp://|ftps://)"))
)
)
OR
(
EventCode=3
(
match(Image, "(?i)(rclone\.exe|winscp\.exe|pscp\.exe|psftp\.exe|sftp\.exe|filezilla\.exe|curl\.exe|wget\.exe)")
OR match(CommandLine, "(?i)(sftp|smtps|webdav|ftps|rclone)")
)
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
)
)
| eval EventType=case(EventCode="1", "ProcessCreate", EventCode="3", "NetworkConnect", true(), "Other")
| eval Protocol=case(
match(CommandLine, "(?i)sftp://") OR match(DestinationPort, "^22$"), "SFTP/SCP",
match(CommandLine, "(?i)smtps"), "SMTPS",
match(CommandLine, "(?i)ftps://") OR match(DestinationPort, "^990$"), "FTPS",
match(CommandLine, "(?i)webdav"), "WebDAV/HTTPS",
match(DestinationPort, "^443$") OR match(DestinationPort, "^8443$"), "HTTPS",
match(DestinationPort, "^465$") OR match(DestinationPort, "^587$"), "SMTPS",
match(DestinationPort, "^993$"), "IMAPS",
true(), "Unknown"
)
| eval RcloneCopy=if(match(Image, "(?i)rclone\.exe") AND match(CommandLine, "(?i)(copy|sync|move)"), 1, 0)
| eval RcloneRemote=if(match(Image, "(?i)rclone\.exe") AND match(CommandLine, "(?i)(sftp|s3|gdrive|onedrive|mega|box|dropbox|webdav)"), 1, 0)
| eval SuspicionScore=ExfilTool + RcloneCopy + RcloneRemote
| where SuspicionScore > 0 OR EventType="NetworkConnect"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EventType, Protocol, DestinationIp, DestinationPort, RcloneCopy, RcloneRemote, SuspicionScore
| sort - _timeDetects exfiltration over asymmetric encrypted protocols using Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection). Identifies known exfiltration tools (Rclone, WinSCP, pscp, sftp, FileZilla), suspicious PowerShell or cmd.exe invocations with encrypted protocol flags, and outbound network connections on SFTP/HTTPS/FTPS/SMTPS ports to public IPs. Assigns protocol classification and suspicion scoring for analyst prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT administrators using WinSCP, FileZilla, or SCP for legitimate file transfers to managed servers
- Backup software using SFTP/FTPS to transfer data to authorized cloud storage or DR sites
- DevOps pipelines using Rclone or curl for legitimate artifact publishing to cloud storage (S3, Azure Blob, GCS)
- Security teams running vulnerability scans or transferring forensic images via SFTP
- Software update mechanisms that download or upload telemetry over HTTPS to vendor endpoints
Other platforms for T1048.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rclone Exfiltration via SFTP
Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.
- Test 2SCP File Transfer to External Host
Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.
- Test 3PowerShell HTTPS Exfiltration via WebClient Upload
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.
- Test 4Rclone MEGA Cloud Storage Exfiltration Simulation
Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.
- Test 5SMTPS Email Exfiltration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.
References (10)
- https://attack.mitre.org/techniques/T1048/002/
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc.html
- https://rclone.org/docs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md
- https://www.rapid7.com/blog/post/2024/05/10/storm-1811-email-bombing-vishing-attacks/
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.