T1048.003

Exfiltration Over Unencrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an unencrypted network protocol other than that of the existing command and control channel. Common protocols used include HTTP, FTP, SMTP, DNS, and TFTP. Data may be obfuscated using encoding schemes such as Base64 or embedded within protocol headers and fields without the use of encryption. Real-world threat actors including Lazarus Group, FIN8, APT32, Salt Typhoon, and Mustang Panda have leveraged FTP, HTTP POST, DNS tunneling, and SMTP for this purpose.

Microsoft Sentinel / Defender

kusto

let FtpTools = dynamic(["ftp.exe", "winscp.exe", "filezilla.exe", "winscp3.exe", "ncftp", "lftp"]);
let CurlWgetPatterns = dynamic(["curl ", "wget ", "Invoke-WebRequest", "curl.exe", "wget.exe"]);
let FtpExfilPatterns = dynamic(["--upload-file", "-T ", "PUT ", "STOR ", "-u ftp", "ftp://", "ftps://", "sftp://"]);
let DnsExfilPatterns = dynamic(["nslookup ", "Resolve-DnsName", "dig ", "dnscat", "iodine"]);
let SmtpExfilPatterns = dynamic(["smtp", "sendmail", "blat", "swaks", "Send-MailMessage"]);
let HttpExfilPatterns = dynamic(["--data-binary", "--data @", "-d @", "multipart/form-data", "-F file", "--form"]);
// Detection 1: FTP client usage with suspicious data transfer flags
let FtpExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FtpTools) or ProcessCommandLine has_any (["ftp://", "--ftp-upload", "-T ftp"])
| where ProcessCommandLine has_any (FtpExfilPatterns) or FileName has_any (FtpTools)
| extend ExfilMethod = "FTP"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExfilMethod;
// Detection 2: curl/wget uploading data over HTTP (not HTTPS)
let HttpExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (["curl.exe", "curl", "wget.exe", "wget"])
| where ProcessCommandLine has_any (HttpExfilPatterns)
       or (ProcessCommandLine matches regex @"http://[^\s]+" and ProcessCommandLine has_any (["--upload-file", "-T ", "--data", "-d ", "--form", "-F "]))
| extend ExfilMethod = "HTTP_Upload"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExfilMethod;
// Detection 3: DNS-based exfiltration tools
let DnsExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (["nslookup.exe", "nslookup", "dnscat", "iodine", "dns2tcp"])
       or ProcessCommandLine has_any (DnsExfilPatterns)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{20,}\.[a-z]{2,}"
       or ProcessCommandLine has_any (["dnscat", "iodine", "dns2tcp", "dnstunnel"])
| extend ExfilMethod = "DNS_Tunnel"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExfilMethod;
// Detection 4: SMTP/email-based exfiltration
let SmtpExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (["blat.exe", "swaks", "sendmail", "msmtp"]) or ProcessCommandLine has_any (SmtpExfilPatterns)
| where ProcessCommandLine has_any (["-server", "-to ", "--to ", "-attach", "--attach", "-body", "--body"])
| extend ExfilMethod = "SMTP"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExfilMethod;
// Detection 5: Large outbound data via network connections on plaintext ports
let PlaintextNetworkExfil = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (21, 25, 69, 80, 110, 143, 8080, 8000, 8888, 2121)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe", "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe")
| extend ExfilMethod = case(
    RemotePort in (21, 2121), "FTP",
    RemotePort in (25, 110, 143), "Email_Protocol",
    RemotePort == 69, "TFTP",
    RemotePort in (80, 8080, 8000, 8888), "HTTP",
    "Unknown_Plaintext")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, ExfilMethod;
union FtpExfil, HttpExfil, DnsExfil, SmtpExfil, PlaintextNetworkExfil
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate FTP file transfers by IT operations teams using WinSCP or FileZilla to upload builds to internal FTP servers
Web developers or DevOps engineers using curl or wget to upload files to HTTP-based staging servers or artifact repositories
Monitoring agents or backup tools making HTTP connections on non-standard ports to internal infrastructure that happens to use plaintext
Network scanning or vulnerability assessment tools that probe FTP/HTTP ports on public IPs as part of authorized engagements
Internal mail relay servers or legacy applications using SMTP on port 25 for legitimate notification emails

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
| eval ExfilMethod="Unknown"
| eval IsFtpExfil=if(match(Image, "(?i)(ftp\.exe|winscp\.exe|filezilla\.exe|ncftp|lftp)") OR match(CommandLine, "(?i)(ftp://|--ftp-upload|--upload-file|-T ftp|STOR )"), 1, 0)
| eval IsHttpExfil=if(match(Image, "(?i)(curl\.exe|wget\.exe)") AND match(CommandLine, "(?i)(--upload-file|-T http://|--data-binary|--data @|-d @|--form|-F file=|multipart)") AND match(CommandLine, "http://"), 1, 0)
| eval IsDnsExfil=if(match(Image, "(?i)(nslookup\.exe|dnscat|iodine|dns2tcp|dnstunnel)") OR match(CommandLine, "(?i)(dnscat|iodine|dns2tcp)"), 1, 0)
| eval IsSmtpExfil=if(match(Image, "(?i)(blat\.exe|swaks|sendmail|msmtp)") OR (match(CommandLine, "(?i)(smtp|Send-MailMessage|sendmail)" ) AND match(CommandLine, "(?i)(-attach|--attach|-to |--to |-server)")) , 1, 0)
| eval ExfilMethod=case(
    IsFtpExfil=1, "FTP",
    IsHttpExfil=1, "HTTP_Upload",
    IsDnsExfil=1, "DNS_Tunnel",
    IsSmtpExfil=1, "SMTP",
    EventCode=3 AND (match(DestinationPort, "^(21|25|69|80|110|143|8080|8000|8888|2121)$")) AND NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), "Plaintext_Network",
    true(), "Unknown")
| where ExfilMethod!="Unknown"
| eval SuspicionScore=IsFtpExfil + IsHttpExfil + IsDnsExfil + IsSmtpExfil
| eval IsExternalDest=if(EventCode=3 AND NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), 1, 0)
| where IsFtpExfil=1 OR IsHttpExfil=1 OR IsDnsExfil=1 OR IsSmtpExfil=1 OR (ExfilMethod="Plaintext_Network" AND NOT match(Image, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|svchost\.exe|services\.exe)"))
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationPort, ExfilMethod, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate FTP file transfers by IT operations teams using WinSCP or FileZilla to upload builds to internal FTP servers
Web developers or DevOps engineers using curl or wget to upload files to HTTP-based staging servers or artifact repositories
Monitoring agents or backup tools making HTTP connections on non-standard ports to internal infrastructure that happens to use plaintext
Network scanning or vulnerability assessment tools that probe FTP/HTTP ports on public IPs as part of authorized engagements
Internal mail relay servers or legacy applications using SMTP on port 25 for legitimate notification emails

Elastic Security (EQL)

eql

any where
  (event.category == "process" and event.type == "start" and (
    process.name in~ ("ftp.exe", "winscp.exe", "filezilla.exe", "ncftp", "lftp", "dnscat", "iodine", "dns2tcp", "blat.exe", "swaks", "sendmail", "msmtp") or
    (
      process.name in~ ("curl.exe", "curl", "wget.exe", "wget") and
      process.command_line like~ "*http://*" and
      (
        process.args : ("--upload-file", "--data-binary", "--form", "-F") or
        process.command_line like~ "*--data @*" or
        process.command_line like~ "*-d @*"
      )
    ) or
    process.command_line like~ "*ftp://*" or
    process.command_line like~ "*ftps://*" or
    process.args : ("--ftp-upload", "STOR") or
    process.command_line like~ "*dnscat*" or
    process.command_line like~ "*iodine*" or
    process.command_line like~ "*dns2tcp*" or
    (
      process.command_line like~ "*smtp*" and
      (
        process.args : ("-attach", "--attach", "-server") or
        process.command_line like~ "*-to *" or
        process.command_line like~ "*--to *"
      )
    )
  )) or
  (event.category == "network" and event.type in ("connection", "start") and
   destination.port in (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888) and
   not destination.ip like ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*", "::1") and
   not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
     "svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (EDR) Winlogbeat with Sysmon Packetbeat network capture

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-windows.sysmon_operational-*

False Positives

Legitimate FTP or plain HTTP file transfers by system administrators performing patching, configuration pushes, or authorized data migrations to external hosting providers
Internal developer tooling or CI/CD pipelines that upload build artifacts over plain HTTP to internal artifact repositories that route through addresses appearing external
Network diagnostic engineers running nslookup, dig, or DNS resolution scripts as part of authorized troubleshooting that match DNS tunneling command-line patterns

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
       sourceip AS SourceIP,
       destinationip AS DestinationIP,
       destinationport AS DestPort,
       username AS Username,
       "Image" AS ProcessImage,
       "CommandLine" AS CommandLine,
       "ParentImage" AS ParentProcessImage,
       QIDNAME(qid) AS EventName,
       LOGSOURCETYPENAME(devicetype) AS LogSourceType,
       CASE
         WHEN LOWER("Image") LIKE '%ftp.exe%' OR LOWER("Image") LIKE '%winscp.exe%' OR LOWER("Image") LIKE '%filezilla.exe%'
              OR LOWER("Image") LIKE '%ncftp%' OR LOWER("Image") LIKE '%lftp%'
              OR LOWER("CommandLine") LIKE '%ftp://%' OR LOWER("CommandLine") LIKE '%-ftp-upload%'
              OR LOWER("CommandLine") LIKE '%--upload-file%' OR LOWER("CommandLine") LIKE '%stor %'
              THEN 'FTP_Exfil'
         WHEN (LOWER("Image") LIKE '%curl%' OR LOWER("Image") LIKE '%wget%')
              AND LOWER("CommandLine") LIKE '%http://%'
              AND (LOWER("CommandLine") LIKE '%--upload-file%' OR LOWER("CommandLine") LIKE '%--data-binary%'
                   OR LOWER("CommandLine") LIKE '%--form%' OR LOWER("CommandLine") LIKE '%-d @%'
                   OR LOWER("CommandLine") LIKE '%multipart%')
              THEN 'HTTP_Upload'
         WHEN LOWER("Image") LIKE '%dnscat%' OR LOWER("Image") LIKE '%iodine%' OR LOWER("Image") LIKE '%dns2tcp%'
              OR LOWER("CommandLine") LIKE '%dnscat%' OR LOWER("CommandLine") LIKE '%iodine%'
              OR LOWER("CommandLine") LIKE '%dns2tcp%'
              THEN 'DNS_Tunnel'
         WHEN LOWER("Image") LIKE '%blat.exe%' OR LOWER("Image") LIKE '%swaks%'
              OR LOWER("Image") LIKE '%msmtp%'
              OR (LOWER("CommandLine") LIKE '%smtp%'
                  AND (LOWER("CommandLine") LIKE '%-attach%' OR LOWER("CommandLine") LIKE '%-to %'))
              THEN 'SMTP_Exfil'
         WHEN destinationport IN (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888)
              AND NOT destinationip LIKE '10.%'
              AND NOT destinationip LIKE '192.168.%'
              AND NOT destinationip LIKE '172.16.%' AND NOT destinationip LIKE '172.17.%'
              AND NOT destinationip LIKE '172.18.%' AND NOT destinationip LIKE '172.19.%'
              AND NOT destinationip LIKE '172.20.%' AND NOT destinationip LIKE '172.21.%'
              AND NOT destinationip LIKE '172.22.%' AND NOT destinationip LIKE '172.23.%'
              AND NOT destinationip LIKE '172.24.%' AND NOT destinationip LIKE '172.25.%'
              AND NOT destinationip LIKE '172.26.%' AND NOT destinationip LIKE '172.27.%'
              AND NOT destinationip LIKE '172.28.%' AND NOT destinationip LIKE '172.29.%'
              AND NOT destinationip LIKE '172.30.%' AND NOT destinationip LIKE '172.31.%'
              THEN 'Plaintext_Network'
         ELSE 'Unknown'
       END AS ExfilMethod
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    LOWER("Image") LIKE '%ftp.exe%' OR LOWER("Image") LIKE '%winscp.exe%' OR LOWER("Image") LIKE '%filezilla.exe%'
    OR LOWER("Image") LIKE '%ncftp%' OR LOWER("Image") LIKE '%lftp%'
    OR LOWER("CommandLine") LIKE '%ftp://%' OR LOWER("CommandLine") LIKE '%-ftp-upload%'
    OR (LOWER("Image") LIKE '%curl%' AND LOWER("CommandLine") LIKE '%http://%'
        AND (LOWER("CommandLine") LIKE '%--upload-file%' OR LOWER("CommandLine") LIKE '%--data-binary%' OR LOWER("CommandLine") LIKE '%--form%'))
    OR (LOWER("Image") LIKE '%wget%' AND LOWER("CommandLine") LIKE '%http://%' AND LOWER("CommandLine") LIKE '%--upload-file%')
    OR LOWER("Image") LIKE '%dnscat%' OR LOWER("Image") LIKE '%iodine%' OR LOWER("Image") LIKE '%dns2tcp%'
    OR LOWER("Image") LIKE '%blat%' OR LOWER("Image") LIKE '%swaks%' OR LOWER("Image") LIKE '%msmtp%'
    OR destinationport IN (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888)
  )
ORDER BY starttime DESC
LAST 1 DAYS

high severity medium confidence

Data Sources

Windows Security Event Log via WinCollect Sysmon Event Log via WinCollect QRadar Network Flows (QFlow) Linux Audit Log via syslog

Required Tables

events

False Positives

Legitimate system management automation scripts that use FTP or HTTP to push configuration files to external hosting or CDN infrastructure during authorized maintenance windows
Developer workstations running local FTP servers or plain HTTP test endpoints during application development and integration testing
Security operations teams using curl, wget, or sendmail for authorized penetration testing or red team exercises without proper exclusion rules in place

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode in ("1", "3") OR EventID in ("1", "3")
| eval IsFtpExfil = if(
    matches(Image, "(?i)(ftp\\.exe|winscp\\.exe|filezilla\\.exe|ncftp|lftp)") OR
    matches(CommandLine, "(?i)(ftp://|ftps://|--ftp-upload|--upload-file|-T ftp|STOR )"),
    1, 0)
| eval IsHttpExfil = if(
    matches(Image, "(?i)(curl\\.exe|wget\\.exe|curl|wget)") AND
    matches(CommandLine, "(?i)(--upload-file|-T http://|--data-binary|--data @|-d @|--form|-F file=|multipart)") AND
    matches(CommandLine, "http://"),
    1, 0)
| eval IsDnsExfil = if(
    matches(Image, "(?i)(nslookup\\.exe|dnscat|iodine|dns2tcp|dnstunnel)") OR
    matches(CommandLine, "(?i)(dnscat|iodine|dns2tcp)"),
    1, 0)
| eval IsSmtpExfil = if(
    matches(Image, "(?i)(blat\\.exe|swaks|sendmail|msmtp)") OR
    (matches(CommandLine, "(?i)(smtp|Send-MailMessage|sendmail)") AND
     matches(CommandLine, "(?i)(-attach|--attach|-to |--to |-server)")),
    1, 0)
| eval IsPlaintextNet = if(
    !isNull(DestinationPort) AND
    DestinationPort in ("21","25","69","80","110","143","2121","8080","8000","8888") AND
    !matches(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)") AND
    !matches(Image, "(?i)(chrome\\.exe|firefox\\.exe|msedge\\.exe|iexplore\\.exe|svchost\\.exe|services\\.exe)"),
    1, 0)
| eval ExfilMethod = if(IsFtpExfil=1, "FTP",
    if(IsHttpExfil=1, "HTTP_Upload",
    if(IsDnsExfil=1, "DNS_Tunnel",
    if(IsSmtpExfil=1, "SMTP",
    if(IsPlaintextNet=1, "Plaintext_Network", "Unknown")))))
| where ExfilMethod != "Unknown"
| eval SuspicionScore = IsFtpExfil + IsHttpExfil + IsDnsExfil + IsSmtpExfil
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationPort, ExfilMethod, SuspicionScore
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log) Sysmon via Sumo Logic Collector CrowdStrike Falcon via Sumo Logic Cloud-to-Cloud

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Automated patch management or software deployment workflows using plain HTTP or FTP to push packages to endpoints via internal distribution servers exposed on non-RFC1918 addresses
Security research or malware analysis sandboxes running FTP, DNS, or SMTP exfiltration tools in controlled detonation environments without source category exclusions
Legacy enterprise applications relying on SMTP (blat, sendmail) or FTP for routine scheduled data exports to authorized third-party partners

Google Chronicle / SecOps

yaral

rule t1048_003_exfil_unencrypted_process {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process launches matching FTP, HTTP upload, DNS tunneling, or SMTP exfiltration tool patterns for T1048.003"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1048.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(ftp\.exe|winscp\.exe|filezilla\.exe|ncftp|lftp)`) or
      re.regex($e.principal.process.command_line, `(?i)(ftp://|ftps://|--ftp-upload|--upload-file|-T ftp|STOR )`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(curl\.exe|wget\.exe|curl|wget)`) and
        re.regex($e.principal.process.command_line, `(?i)(--upload-file|--data-binary|--data @|-d @|--form|-F file)`) and
        re.regex($e.principal.process.command_line, `http://`)
      ) or
      re.regex($e.principal.process.file.full_path, `(?i)(dnscat|iodine|dns2tcp|dnstunnel)`) or
      re.regex($e.principal.process.command_line, `(?i)(dnscat|iodine|dns2tcp)`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(blat\.exe|swaks|sendmail|msmtp)`) and
        re.regex($e.principal.process.command_line, `(?i)(-attach|--attach|-to |--to |-server)`)
      ) or
      (
        re.regex($e.principal.process.command_line, `(?i)(Send-MailMessage|smtp)`) and
        re.regex($e.principal.process.command_line, `(?i)(-attach|--attach|-to |--to |-server)`)
      )
    )

  condition:
    $e
}

rule t1048_003_plaintext_network_exfil {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects outbound network connections to unencrypted protocol ports from non-browser processes targeting external IPs — T1048.003"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1048.003"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.target.port in (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|svchost\.exe|services\.exe|lsass\.exe|MsMpEng\.exe)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM (via Bindplane or Chronicle forwarder) Windows Endpoint telemetry via Chronicle agent Network telemetry via Chronicle forwarder

Required Tables

UDM events: PROCESS_LAUNCH UDM events: NETWORK_CONNECTION

False Positives

Legitimate FTP or plain HTTP file distribution by IT operations using automation scripts for software deployment, patch delivery, or configuration management to remote offices
Internal web APIs operating on alternate HTTP ports (8080, 8000, 8888) accessed by orchestration or data pipeline automation for authorized data movement
Security operations personnel running DNS diagnostic utilities (nslookup, dig) or network testing tools that match DNS tunneling process name patterns

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|NetworkConnectIP4|DnsRequest)$/
| ExfilMethod := case {
    ImageFileName = /(?i)(ftp\.exe|winscp\.exe|filezilla\.exe|ncftp|lftp)/
      OR CommandLine = /(?i)(ftp:\/\/|ftps:\/\/|--ftp-upload|--upload-file|STOR )/ =>
      "FTP";
    ImageFileName = /(?i)(curl|wget)/
      AND CommandLine = /(?i)(--upload-file|--data-binary|--data @|-d @|--form|-F )/
      AND CommandLine = /http:\/\// =>
      "HTTP_Upload";
    ImageFileName = /(?i)(dnscat|iodine|dns2tcp|dnstunnel)/
      OR CommandLine = /(?i)(dnscat|iodine|dns2tcp)/ =>
      "DNS_Tunnel";
    ImageFileName = /(?i)(blat|swaks|sendmail|msmtp)/
      OR (CommandLine = /(?i)(smtp|sendmail|Send-MailMessage)/
          AND CommandLine = /(?i)(-attach|--attach|-to |--to )/) =>
      "SMTP";
    #event_simpleName = "NetworkConnectIP4"
      AND RemotePort in (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888)
      AND NOT RemoteIP = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
      AND NOT ImageFileName = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|svchost\.exe|services\.exe|lsass\.exe|MsMpEng\.exe)/ =>
      "Plaintext_Network";
    * => ""
}
| ExfilMethod != ""
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, RemoteIP, RemotePort, ExfilMethod, #event_simpleName])
| sort(@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2) CrowdStrike Falcon Network telemetry (NetworkConnectIP4) CrowdStrike Falcon DNS telemetry (DnsRequest)

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

DevOps CI/CD pipelines using curl with POST or upload flags to internal artifact repositories or container registries exposed on plain HTTP endpoints within the corporate network
IT administrators running WinSCP, FileZilla, or FTP scripts for authorized scheduled data transfers to managed external storage providers during approved maintenance windows
Threat intelligence or malware analysis teams executing DNS tunneling or SMTP exfiltration tooling within isolated sandbox environments without proper host-based exclusions

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1048.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Unencrypted Non-C2 Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Exfiltration

Popular Detections