T1048.002 Sumo Logic CSE · Sumo

Detect Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in Sumo Logic CSE

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows/sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode in ("1", "3") or EventID in ("1", "3")
| where (
    Image matches /(?i)(rclone|winscp|pscp|psftp|filezilla|sftp|scp|curl|wget)\.exe/
    or (Image matches /(?i)(powershell|cmd)\.exe/ and CommandLine matches /(?i)(sftp|\bscp\b|smtps|ftps|webdav|rclone|winscp)/)
    or (Image matches /(?i)curl\.exe/ and CommandLine matches /(?i)(--ssl|--tls|sftp:\/\/|ftps:\/\/)/)
  )
| where EventCode != "3" or (
    DestinationPort in ("22","443","465","587","990","993","8443","21")
    and !(DestinationIp matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/)
  )
| eval Protocol = if(CommandLine matches /(?i)sftp:\/\//, "SFTP",
    if(CommandLine matches /(?i)\bscp\b/, "SCP",
    if(CommandLine matches /(?i)smtps/, "SMTPS",
    if(CommandLine matches /(?i)ftps:\/\//, "FTPS",
    if(CommandLine matches /(?i)webdav/, "WebDAV",
    if(DestinationPort == "22", "SSH/SFTP",
    if(DestinationPort == "443", "HTTPS",
    if(DestinationPort in ("465","587"), "SMTPS",
    if(DestinationPort == "990", "FTPS", "Unknown")))))))))
| eval RcloneCopy = if(Image matches /(?i)rclone\.exe/ and CommandLine matches /(?i)(copy|sync|move)/, "true", "false")
| eval RcloneRemote = if(Image matches /(?i)rclone\.exe/ and CommandLine matches /(?i)(sftp|s3|gdrive|onedrive|mega|box|dropbox|webdav)/, "true", "false")
| eval EventType = if(EventCode == "1" or EventID == "1", "ProcessCreate", if(EventCode == "3" or EventID == "3", "NetworkConnect", "Other"))
| fields _time, Computer, User, Image, CommandLine, ParentImage, EventType, Protocol, DestinationIp, DestinationPort, RcloneCopy, RcloneRemote
| sort by _time desc
high severity high confidence

Detects T1048.002 exfiltration over asymmetrically encrypted non-C2 protocols using Sumo Logic log search against Sysmon-sourced Windows endpoint data. Filters Sysmon EventCode 1 (ProcessCreate) for known exfiltration tool execution and suspicious command-line patterns, and EventCode 3 (NetworkConnect) for connections to encrypted protocol ports on public IPs. Enriches results with protocol classification, Rclone operation type detection, and remote destination identification.

Data Sources

Sumo Logic with Sysmon via Windows Event ForwardingSumo Logic Endpoint Security Collection

Required Tables

_sourceCategory=*windows/sysmon*_sourceCategory=*endpoint*

False Positives & Tuning

  • IT administrators using WinSCP or FileZilla for legitimate file transfers to authorized external SFTP servers or cloud-hosted storage
  • Automated rclone-based backup scripts running on a schedule to upload data to approved cloud storage providers such as Backblaze B2, Wasabi, or AWS S3
  • Development teams using curl or sftp in CI/CD pipeline scripts to deploy compiled artifacts to staging or production environments over encrypted channels
  • Email relay agents or applications using SMTPS on ports 465 or 587 for standard outbound encrypted email delivery to remote mail servers
Download portable Sigma rule (.yml)

Other platforms for T1048.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rclone Exfiltration via SFTP

    Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy', 'sftp://', destination IP, and --sftp-pass flag. Sysmon Event ID 3: Network connection attempt to 192.0.2.1:22. DeviceProcessEvents and DeviceNetworkEvents in MDE will capture the event.

  2. Test 2SCP File Transfer to External Host

    Expected signal: Sysmon Event ID 1: Process Create with Image=pscp.exe, CommandLine containing destination IP, remote path, and -pw flag (password in clear text is itself a forensic indicator). Sysmon Event ID 3: TCP connection attempt to 198.51.100.1:22. Security Event ID 4688 if command-line auditing is enabled.

  3. Test 3PowerShell HTTPS Exfiltration via WebClient Upload

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'UploadData', and 'https://'. Sysmon Event ID 3: TCP connection attempt to 127.0.0.1:4443. PowerShell ScriptBlock Log Event ID 4104 with full script. DeviceNetworkEvents in MDE will show the HTTPS connection attempt.

  4. Test 4Rclone MEGA Cloud Storage Exfiltration Simulation

    Expected signal: Sysmon Event ID 11: File creation of rclone_test.conf in %TEMP% containing MEGA credentials. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine referencing --config path and 'mega_remote:'. Sysmon Event ID 3: DNS query and TCP connection attempt to MEGA API endpoints (g.api.mega.co.nz). DeviceFileEvents will capture config file creation.

  5. Test 5SMTPS Email Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SmtpClient', 'EnableSsl = $true', port 587, and external hostname. Sysmon Event ID 3: TCP connection attempt to smtp.attacker-controlled.com:587. Sysmon Event ID 22: DNS query for attacker-controlled.com. PowerShell ScriptBlock Log Event ID 4104 with full script content.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1567.004Exfiltration Over WebhookT1560Archive Collected DataT1560.001Archive via UtilityT1074Data StagedT1029Scheduled TransferT1020Automated ExfiltrationT1005Data from Local SystemT1078Valid Accounts

Same Tactic: Exfiltration

Popular Detections