Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil.

Upgrade to Pro
THREAT-SFTPTunnel-EncryptedProtocolExfil

Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH)

Exfiltration Last updated:

Rather than tunneling stolen data through an existing C2 channel, some adversaries and insiders establish a separate, self-encrypted protocol session (SFTP, FTPS, rsync-over-SSH, scp) directly to an attacker-controlled or personal-cloud endpoint to move bulk data out. Because the session is encrypted at the protocol layer (SSH or TLS) rather than relying on the C2 implant's own crypto, payload inspection at the proxy is blind — the only visible signals are connection metadata: outbound sessions on FTP/FTPS/SSH ports to hosts outside the corporate asset inventory, unusually large or sustained sent-byte volume on those sessions, and dual-use binaries (scp.exe, sftp.exe, WinSCP.exe, rsync, openssh client) executing shortly after bulk file staging. This differs from the cloud-storage rclone/AzCopy pattern (which syncs to named SaaS cloud APIs over HTTPS) and the DNS-tunneling pattern (which hides data in the DNS protocol itself) already in this corpus by keying on standard file-transfer protocol sessions carrying their own encryption to a destination that is not a recognized corporate SFTP/backup target. APT41 and FIN13 have used scp/rsync to lift data from compromised Linux hosts, Scattered Spider affiliates have used WinSCP for SMB-network staging transfers, and Iron Tiger has used custom SSH-based exfiltration tooling. Detection requires correlating process execution of transfer clients with network session volume/destination reputation rather than payload content inspection.

What is THREAT-SFTPTunnel-EncryptedProtocolExfil Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH)?

Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) (THREAT-SFTPTunnel-EncryptedProtocolExfil) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceNetworkEvents), Sysmon Event ID 1, 3, Network flow data (NetFlow/IPFIX), SSH/FTP server audit logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let TimeWindow = 24h;
let MinBytesSent = 50000000;         // 50MB threshold for a single session
let TransferProcessNames = dynamic(["scp.exe", "sftp.exe", "winscp.exe", "psftp.exe", "rsync.exe", "rsync", "scp", "sftp"]);
let KnownCorpDestinations = dynamic(["<YOUR_CORP_SFTP_HOST>", "<YOUR_BACKUP_HOST>"]);
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where FileName in~ (TransferProcessNames)
| project ProcTimestamp = Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(TimeWindow)
    | where ActionType =~ "ConnectionSuccess"
    | where RemotePort in (22, 990, 989, 21, 2222)
    | where RemoteIPType == "Public"
    | project NetTimestamp = Timestamp, DeviceName, AccountName, RemoteIP, RemoteUrl, RemotePort, SentBytes, InitiatingProcessFileName
  ) on DeviceName, AccountName
| where InitiatingProcessFileName1 in~ (TransferProcessNames) or InitiatingProcessFileName in~ (TransferProcessNames)
| where datetime_diff('minute', NetTimestamp, ProcTimestamp) between (-5 .. 30)
| where RemoteUrl !in~ (KnownCorpDestinations) and RemoteIP !in~ (KnownCorpDestinations)
| summarize
    SessionCount = count(),
    TotalBytesSent = sum(SentBytes),
    Commands = make_set(ProcessCommandLine, 10),
    FirstSeen = min(ProcTimestamp),
    LastSeen = max(NetTimestamp)
  by DeviceName, AccountName, FileName, RemoteIP, RemotePort
| where TotalBytesSent > MinBytesSent or SessionCount > 3
| extend ThreatType = "Exfil_EncryptedProtocolTransfer"
| extend RiskScore = iff(TotalBytesSent > (MinBytesSent * 2), 85, 65)
| sort by RiskScore desc, TotalBytesSent desc

Correlates process execution of encrypted file-transfer clients (scp, sftp, WinSCP, rsync) with network sessions on SSH/FTPS ports (22, 21, 989, 990, 2222) to public, non-corporate destinations within a 30-minute window. Flags sessions exceeding a 50MB sent-byte threshold or with more than 3 sessions to the same external host, since these clients encrypt their own payload and defeat proxy content inspection — the only reliable signal is process+network correlation plus destination reputation against a known-corporate-endpoint allowlist.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceNetworkEvents) Sysmon Event ID 1, 3 Network flow data (NetFlow/IPFIX) SSH/FTP server audit logs

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • IT/DevOps administrators using scp or rsync for legitimate server-to-server backups or deployments to non-inventoried but authorized cloud hosts
  • Developers using WinSCP or sftp to push build artifacts to a personal or vendor-hosted SFTP endpoint with business justification
  • Scheduled automation jobs (cron/Task Scheduler) that legitimately rsync large datasets to an offsite disaster-recovery host not yet added to the corporate asset inventory

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) (THREAT-SFTPTunnel-EncryptedProtocolExfil) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SFTP Bulk Exfiltration to External Loopback Endpoint

    Expected signal: auditd/Sysmon-for-Linux: execve record for sftp with destination 127.0.0.1:22, followed by a network connect() event and multi-second session duration with non-trivial bytes sent.

  2. Test 2Simulate WinSCP/scp-style Bulk Transfer on Windows

    Expected signal: Sysmon Event ID 1: scp.exe execution with source/destination path in command line. Sysmon Event ID 3: network connection to 127.0.0.1:22 with sustained SentBytes.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections