Detect Exfiltration Over Alternative Protocol in Splunk
Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data may be sent over FTP, SMTP, DNS, SMB, HTTP/S, or any other network protocol not serving as the primary C2 channel. Adversaries often encrypt or obfuscate these alternate channels. Common tools include curl, ftp.exe, WinSCP, and built-in OS utilities. DNS tunneling (encoding data in DNS query subdomains) is a particularly stealthy variant used by malware families like FrameworkPOS. IaaS and SaaS platforms (Exchange, SharePoint, GitHub, AWS S3) can also serve as exfiltration endpoints via cloud APIs or direct downloads.
MITRE ATT&CK
- Tactic
- Exfiltration
- Canonical reference
- https://attack.mitre.org/techniques/T1048/
SPL Detection Query
| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\ftp.exe" OR Image="*\\curl.exe" OR Image="*\\winscp.exe" OR Image="*\\pscp.exe"
OR Image="*\\sftp.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\robocopy.exe")
| eval CommandLine=lower(CommandLine)
| eval UploadFlag=if(match(CommandLine, "(-t\s|--upload-file|\sput\s|\sstor\s|ftp://|sftp://|ftps://|-f\s|--form|smtp://|--mail-from|--mail-rcpt)"), 1, 0)
| where UploadFlag=1
| eval DetectionBranch="ExfilToolUpload"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*"
OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*"
OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*"
OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
(DestinationPort=21 OR DestinationPort=22 OR DestinationPort=25 OR DestinationPort=465
OR DestinationPort=587 OR DestinationPort=989 OR DestinationPort=990 OR DestinationPort=2121)
NOT (Image="*\\Outlook.exe" OR Image="*\\thunderbird.exe" OR Image="*\\filezilla.exe"
OR Image="*\\svchost.exe" OR Image="*\\lsass.exe")
| stats sum(eval(if(isnum(SourcePort),1,0))) as Connections, values(DestinationIp) as DestIPs, values(DestinationPort) as DestPorts
by host, User, Image, CommandLine, DestinationIp, DestinationPort
| where Connections > 5
| eval DetectionBranch="SuspiciousOutboundPort"
| table host, User, Image, CommandLine, DestIPs, DestPorts, Connections, DetectionBranch
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
NOT (QueryName="*.microsoft.com" OR QueryName="*.windows.com" OR QueryName="*.google.com"
OR QueryName="*.amazon.com" OR QueryName="*.cloudfront.net")
| eval QueryLen=len(QueryName)
| where QueryLen > 50
| stats count as DNSQueryCount, max(QueryLen) as MaxQueryLen, values(QueryName) as Domains
by host, User, Image, bin(_time, 3600)
| where DNSQueryCount > 20 OR MaxQueryLen > 100
| eval DetectionBranch="DNSTunnelingSuspect"
| table _time, host, User, Image, DNSQueryCount, MaxQueryLen, Domains, DetectionBranch
]Three-branch Splunk detection for T1048. Branch 1 monitors Sysmon Event ID 1 (Process Create) for known exfiltration tools (curl, ftp, WinSCP, bitsadmin) combined with upload-specific command-line flags. Branch 2 uses Sysmon Event ID 3 (Network Connect) to identify outbound connections on FTP/SMTP/SSH ports from unusual processes. Branch 3 uses Sysmon Event ID 22 (DNS Query) to detect DNS tunneling via abnormally long subdomain names (>50 chars) or high query volume (>20 queries/hour to unique external domains), a pattern consistent with FrameworkPOS DNS exfiltration.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT administrators using curl or WinSCP for legitimate file transfers to managed SFTP/FTP endpoints
- Backup agents initiating large outbound transfers to cloud storage over non-HTTP protocols
- DevOps pipelines using scp/sftp in CI/CD scripts for artifact deployment
- Security tools and vulnerability scanners performing SMTP or FTP tests during scheduled assessments
- Long DNS hostnames used by CDN providers or cloud service discovery mechanisms (e.g., AWS service endpoints)
Other platforms for T1048
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FTP Upload via Windows Built-in FTP Client
Expected signal: Sysmon Event ID 1: Process Create with Image=ftp.exe, CommandLine containing '-s:%TEMP%\df00tech-ftp.txt'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:21 from ftp.exe. Sysmon Event ID 11: File create for the ftp script file in TEMP.
- Test 2curl SMTP Exfiltration Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '--mail-from', '--mail-rcpt', '--upload-file', 'smtp://'. Sysmon Event ID 3: Network Connection to 127.0.0.1:25 from curl.exe. The connection will fail but telemetry events fire.
- Test 3DNS Tunneling Simulation via Long Subdomain Queries
Expected signal: Sysmon Event ID 22 (DNS Query): 25 events with QueryName containing long base64-encoded subdomains (>50 characters) under df00tech-test.com. DNS queries will fail to resolve (NXDOMAIN) but the DNS telemetry events are generated by the Sysmon DNS query logging provider.
- Test 4curl Upload via HTTP PUT (Alternative Protocol Exfiltration)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '-X PUT', '-T', and 'http://127.0.0.1:8888'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8888. Sysmon Event ID 11: File Create for exfil_test.txt in TEMP directory.
- Test 5SCP File Exfiltration via OpenSSH (Linux/macOS)
Expected signal: Auditd EXECVE record for scp with arguments including the destination host and port. Network connection event to 198.51.100.1:22. On systems with Sysmon for Linux: Process Create event (EventCode=1) for scp binary, Network Connect (EventCode=3) for the outbound SSH connection attempt.
References (12)
- https://attack.mitre.org/techniques/T1048/
- http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://blog.talosintelligence.com/poetrat-update-april-2020/
- https://www.sentinelone.com/labs/frameworkpos-another-pos-threat-using-dns-for-exfiltration/
- https://www.welivesecurity.com/2021/01/26/operation-windmill-eset-research-kobalos/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/play-ransomware
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
Unlock Pro Content
Get the full detection package for T1048 including response playbook, investigation guide, and atomic red team tests.