Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil.

Upgrade to Pro
THREAT-SFTPTunnel-EncryptedProtocolExfil CrowdStrike LogScale · LogScale

Detect Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) in CrowdStrike LogScale

Rather than tunneling stolen data through an existing C2 channel, some adversaries and insiders establish a separate, self-encrypted protocol session (SFTP, FTPS, rsync-over-SSH, scp) directly to an attacker-controlled or personal-cloud endpoint to move bulk data out. Because the session is encrypted at the protocol layer (SSH or TLS) rather than relying on the C2 implant's own crypto, payload inspection at the proxy is blind — the only visible signals are connection metadata: outbound sessions on FTP/FTPS/SSH ports to hosts outside the corporate asset inventory, unusually large or sustained sent-byte volume on those sessions, and dual-use binaries (scp.exe, sftp.exe, WinSCP.exe, rsync, openssh client) executing shortly after bulk file staging. This differs from the cloud-storage rclone/AzCopy pattern (which syncs to named SaaS cloud APIs over HTTPS) and the DNS-tunneling pattern (which hides data in the DNS protocol itself) already in this corpus by keying on standard file-transfer protocol sessions carrying their own encryption to a destination that is not a recognized corporate SFTP/backup target. APT41 and FIN13 have used scp/rsync to lift data from compromised Linux hosts, Scattered Spider affiliates have used WinSCP for SMB-network staging transfers, and Iron Tiger has used custom SSH-based exfiltration tooling. Detection requires correlating process execution of transfer clients with network session volume/destination reputation rather than payload content inspection.

MITRE ATT&CK

Tactic
Exfiltration

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql
#event_simpleName=NetworkConnectIP4
| RemotePort=/^(22|21|989|990|2222)$/
| ImageFileName=/(?i)(scp|sftp|winscp|psftp|rsync)(\.exe)?$/
| groupBy([ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort], function=[count(as=SessionCount), sum(field=BytesSent, as=TotalBytesSent)])
| test(TotalBytesSent > 50000000 || SessionCount > 3)
high severity medium confidence

CrowdStrike LogScale query identifying encrypted non-C2 protocol exfiltration by matching network connections on SSH/FTPS ports from known file-transfer client processes, grouped by host/user/destination and filtered for high-volume or repeated sessions.

Data Sources

CrowdStrike Falcon (NetworkConnectIP4 events)CrowdStrike LogScale

Required Tables

NetworkConnectIP4

False Positives & Tuning

  • Approved backup or deployment automation using scp/rsync/sftp under recognized service accounts

Other platforms for THREAT-SFTPTunnel-EncryptedProtocolExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SFTP Bulk Exfiltration to External Loopback Endpoint

    Expected signal: auditd/Sysmon-for-Linux: execve record for sftp with destination 127.0.0.1:22, followed by a network connect() event and multi-second session duration with non-trivial bytes sent.

  2. Test 2Simulate WinSCP/scp-style Bulk Transfer on Windows

    Expected signal: Sysmon Event ID 1: scp.exe execution with source/destination path in command line. Sysmon Event ID 3: network connection to 127.0.0.1:22 with sustained SentBytes.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections