T1048.003 IBM QRadar · QRadar

Detect Exfiltration Over Unencrypted Non-C2 Protocol in IBM QRadar

Adversaries may steal data by exfiltrating it over an unencrypted network protocol other than that of the existing command and control channel. Common protocols used include HTTP, FTP, SMTP, DNS, and TFTP. Data may be obfuscated using encoding schemes such as Base64 or embedded within protocol headers and fields without the use of encryption. Real-world threat actors including Lazarus Group, FIN8, APT32, Salt Typhoon, and Mustang Panda have leveraged FTP, HTTP POST, DNS tunneling, and SMTP for this purpose.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
       sourceip AS SourceIP,
       destinationip AS DestinationIP,
       destinationport AS DestPort,
       username AS Username,
       "Image" AS ProcessImage,
       "CommandLine" AS CommandLine,
       "ParentImage" AS ParentProcessImage,
       QIDNAME(qid) AS EventName,
       LOGSOURCETYPENAME(devicetype) AS LogSourceType,
       CASE
         WHEN LOWER("Image") LIKE '%ftp.exe%' OR LOWER("Image") LIKE '%winscp.exe%' OR LOWER("Image") LIKE '%filezilla.exe%'
              OR LOWER("Image") LIKE '%ncftp%' OR LOWER("Image") LIKE '%lftp%'
              OR LOWER("CommandLine") LIKE '%ftp://%' OR LOWER("CommandLine") LIKE '%-ftp-upload%'
              OR LOWER("CommandLine") LIKE '%--upload-file%' OR LOWER("CommandLine") LIKE '%stor %'
              THEN 'FTP_Exfil'
         WHEN (LOWER("Image") LIKE '%curl%' OR LOWER("Image") LIKE '%wget%')
              AND LOWER("CommandLine") LIKE '%http://%'
              AND (LOWER("CommandLine") LIKE '%--upload-file%' OR LOWER("CommandLine") LIKE '%--data-binary%'
                   OR LOWER("CommandLine") LIKE '%--form%' OR LOWER("CommandLine") LIKE '%-d @%'
                   OR LOWER("CommandLine") LIKE '%multipart%')
              THEN 'HTTP_Upload'
         WHEN LOWER("Image") LIKE '%dnscat%' OR LOWER("Image") LIKE '%iodine%' OR LOWER("Image") LIKE '%dns2tcp%'
              OR LOWER("CommandLine") LIKE '%dnscat%' OR LOWER("CommandLine") LIKE '%iodine%'
              OR LOWER("CommandLine") LIKE '%dns2tcp%'
              THEN 'DNS_Tunnel'
         WHEN LOWER("Image") LIKE '%blat.exe%' OR LOWER("Image") LIKE '%swaks%'
              OR LOWER("Image") LIKE '%msmtp%'
              OR (LOWER("CommandLine") LIKE '%smtp%'
                  AND (LOWER("CommandLine") LIKE '%-attach%' OR LOWER("CommandLine") LIKE '%-to %'))
              THEN 'SMTP_Exfil'
         WHEN destinationport IN (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888)
              AND NOT destinationip LIKE '10.%'
              AND NOT destinationip LIKE '192.168.%'
              AND NOT destinationip LIKE '172.16.%' AND NOT destinationip LIKE '172.17.%'
              AND NOT destinationip LIKE '172.18.%' AND NOT destinationip LIKE '172.19.%'
              AND NOT destinationip LIKE '172.20.%' AND NOT destinationip LIKE '172.21.%'
              AND NOT destinationip LIKE '172.22.%' AND NOT destinationip LIKE '172.23.%'
              AND NOT destinationip LIKE '172.24.%' AND NOT destinationip LIKE '172.25.%'
              AND NOT destinationip LIKE '172.26.%' AND NOT destinationip LIKE '172.27.%'
              AND NOT destinationip LIKE '172.28.%' AND NOT destinationip LIKE '172.29.%'
              AND NOT destinationip LIKE '172.30.%' AND NOT destinationip LIKE '172.31.%'
              THEN 'Plaintext_Network'
         ELSE 'Unknown'
       END AS ExfilMethod
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    LOWER("Image") LIKE '%ftp.exe%' OR LOWER("Image") LIKE '%winscp.exe%' OR LOWER("Image") LIKE '%filezilla.exe%'
    OR LOWER("Image") LIKE '%ncftp%' OR LOWER("Image") LIKE '%lftp%'
    OR LOWER("CommandLine") LIKE '%ftp://%' OR LOWER("CommandLine") LIKE '%-ftp-upload%'
    OR (LOWER("Image") LIKE '%curl%' AND LOWER("CommandLine") LIKE '%http://%'
        AND (LOWER("CommandLine") LIKE '%--upload-file%' OR LOWER("CommandLine") LIKE '%--data-binary%' OR LOWER("CommandLine") LIKE '%--form%'))
    OR (LOWER("Image") LIKE '%wget%' AND LOWER("CommandLine") LIKE '%http://%' AND LOWER("CommandLine") LIKE '%--upload-file%')
    OR LOWER("Image") LIKE '%dnscat%' OR LOWER("Image") LIKE '%iodine%' OR LOWER("Image") LIKE '%dns2tcp%'
    OR LOWER("Image") LIKE '%blat%' OR LOWER("Image") LIKE '%swaks%' OR LOWER("Image") LIKE '%msmtp%'
    OR destinationport IN (21, 25, 69, 80, 110, 143, 2121, 8080, 8000, 8888)
  )
ORDER BY starttime DESC
LAST 1 DAYS
high severity medium confidence

IBM QRadar AQL detection for T1048.003 querying normalized process and network flow events. Classifies exfiltration method using CASE logic across FTP tool execution, curl/wget plain-HTTP upload patterns, DNS tunneling utilities, SMTP exfiltration mailers, and outbound connections to unencrypted protocol ports targeting non-RFC1918 addresses. Requires Sysmon or Windows Security log source with Image and CommandLine custom property extraction configured.

Data Sources

Windows Security Event Log via WinCollectSysmon Event Log via WinCollectQRadar Network Flows (QFlow)Linux Audit Log via syslog

Required Tables

events

False Positives & Tuning

  • Legitimate system management automation scripts that use FTP or HTTP to push configuration files to external hosting or CDN infrastructure during authorized maintenance windows
  • Developer workstations running local FTP servers or plain HTTP test endpoints during application development and integration testing
  • Security operations teams using curl, wget, or sendmail for authorized penetration testing or red team exercises without proper exclusion rules in place
Download portable Sigma rule (.yml)

Other platforms for T1048.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FTP File Exfiltration Using Native Windows FTP Client

    Expected signal: Sysmon Event ID 1: Process Create with Image=ftp.exe, CommandLine containing '-s:%TEMP%\ftp_script.txt'. Sysmon Event ID 11: File Create for ftp_script.txt. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:21 (may not appear if connection immediately refused). Security Event ID 4688 if command line auditing enabled.

  2. Test 2HTTP POST File Upload via curl to Plaintext Endpoint

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '--upload-file' and 'http://127.0.0.1:8080/upload'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080 from curl.exe. The connection will be refused but process and network events will still be logged.

  3. Test 3DNS Subdomain Exfiltration via nslookup

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe and child nslookup.exe with a long base64-like subdomain in the command line. Sysmon Event ID 22: DNS query event showing the long subdomain query. The query will fail (NXDOMAIN or timeout) but all telemetry is generated.

  4. Test 4SMTP Email Exfiltration via PowerShell Send-MailMessage

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Send-MailMessage', '-SmtpServer', and '-Attachments'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:25. PowerShell ScriptBlock Log Event ID 4104 with the full Send-MailMessage command and parameters including attachment path.

  5. Test 5Data Staging and FTP Exfiltration via WinSCP Script (Linux/macOS via curl)

    Expected signal: Linux auditd or Sysmon for Linux Event ID 1: Process Create for tar, then curl with --upload-file and ftp:// URL. Syslog or auditd SYSCALL records for execve of curl with FTP arguments. Network connection attempt to 127.0.0.1:21. File creation events for the tar archive.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1048.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1071.001Web ProtocolsT1071.002File Transfer ProtocolsT1071.004DNST1560Archive Collected DataT1005Data from Local SystemT1074Data StagedT1567Exfiltration Over Web ServiceT1020Automated Exfiltration

Same Tactic: Exfiltration

Popular Detections