Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil.
Upgrade to ProDetect Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) in Elastic Security
Rather than tunneling stolen data through an existing C2 channel, some adversaries and insiders establish a separate, self-encrypted protocol session (SFTP, FTPS, rsync-over-SSH, scp) directly to an attacker-controlled or personal-cloud endpoint to move bulk data out. Because the session is encrypted at the protocol layer (SSH or TLS) rather than relying on the C2 implant's own crypto, payload inspection at the proxy is blind — the only visible signals are connection metadata: outbound sessions on FTP/FTPS/SSH ports to hosts outside the corporate asset inventory, unusually large or sustained sent-byte volume on those sessions, and dual-use binaries (scp.exe, sftp.exe, WinSCP.exe, rsync, openssh client) executing shortly after bulk file staging. This differs from the cloud-storage rclone/AzCopy pattern (which syncs to named SaaS cloud APIs over HTTPS) and the DNS-tunneling pattern (which hides data in the DNS protocol itself) already in this corpus by keying on standard file-transfer protocol sessions carrying their own encryption to a destination that is not a recognized corporate SFTP/backup target. APT41 and FIN13 have used scp/rsync to lift data from compromised Linux hosts, Scattered Spider affiliates have used WinSCP for SMB-network staging transfers, and Iron Tiger has used custom SSH-based exfiltration tooling. Detection requires correlating process execution of transfer clients with network session volume/destination reputation rather than payload content inspection.
MITRE ATT&CK
- Tactic
- Exfiltration
Elastic Detection Query
network where event.type == "start" and
destination.port in (22, 21, 989, 990, 2222) and
process.name : ("scp.exe", "sftp.exe", "winscp.exe", "psftp.exe", "rsync.exe", "rsync", "scp", "sftp") and
not destination.ip : ("<YOUR_CORP_SFTP_RANGE>") Detects encrypted non-C2 protocol exfiltration using Elastic ECS network events, matching outbound SSH/FTPS-port sessions initiated by file-transfer clients (scp, sftp, WinSCP, rsync) to destinations outside the corporate SFTP/backup IP range.
Data Sources
Required Tables
False Positives & Tuning
- IT/DevOps administrators using scp or rsync for legitimate backups or deployments to hosts outside the current IP range definition
- Developers using sftp to push build artifacts to vendor-hosted endpoints with business justification
Other platforms for THREAT-SFTPTunnel-EncryptedProtocolExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SFTP Bulk Exfiltration to External Loopback Endpoint
Expected signal: auditd/Sysmon-for-Linux: execve record for sftp with destination 127.0.0.1:22, followed by a network connect() event and multi-second session duration with non-trivial bytes sent.
- Test 2Simulate WinSCP/scp-style Bulk Transfer on Windows
Expected signal: Sysmon Event ID 1: scp.exe execution with source/destination path in command line. Sysmon Event ID 3: network connection to 127.0.0.1:22 with sustained SentBytes.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month