Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil.
Upgrade to ProDetect Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) in IBM QRadar
Rather than tunneling stolen data through an existing C2 channel, some adversaries and insiders establish a separate, self-encrypted protocol session (SFTP, FTPS, rsync-over-SSH, scp) directly to an attacker-controlled or personal-cloud endpoint to move bulk data out. Because the session is encrypted at the protocol layer (SSH or TLS) rather than relying on the C2 implant's own crypto, payload inspection at the proxy is blind — the only visible signals are connection metadata: outbound sessions on FTP/FTPS/SSH ports to hosts outside the corporate asset inventory, unusually large or sustained sent-byte volume on those sessions, and dual-use binaries (scp.exe, sftp.exe, WinSCP.exe, rsync, openssh client) executing shortly after bulk file staging. This differs from the cloud-storage rclone/AzCopy pattern (which syncs to named SaaS cloud APIs over HTTPS) and the DNS-tunneling pattern (which hides data in the DNS protocol itself) already in this corpus by keying on standard file-transfer protocol sessions carrying their own encryption to a destination that is not a recognized corporate SFTP/backup target. APT41 and FIN13 have used scp/rsync to lift data from compromised Linux hosts, Scattered Spider affiliates have used WinSCP for SMB-network staging transfers, and Iron Tiger has used custom SSH-based exfiltration tooling. Detection requires correlating process execution of transfer clients with network session volume/destination reputation rather than payload content inspection.
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
hostname AS Hostname,
username AS User,
"Process Name" AS ProcessName,
destinationip AS DestinationIp,
destinationport AS DestinationPort,
SUM(bytessent) AS TotalBytesSent
FROM events
WHERE
destinationport IN (22, 21, 989, 990, 2222)
AND LOWER("Process Name") IN ('scp.exe', 'sftp.exe', 'winscp.exe', 'psftp.exe', 'rsync.exe', 'rsync', 'scp', 'sftp')
AND starttime > NOW() - 86400000
GROUP BY hostname, username, "Process Name", destinationip, destinationport
HAVING SUM(bytessent) > 50000000
ORDER BY TotalBytesSent DESC
LIMIT 500 QRadar AQL query detecting bulk data transfers over encrypted non-C2 protocols by aggregating network events on SSH/FTPS ports initiated by known file-transfer client process names, filtering for sessions exceeding a 50MB sent-byte threshold.
Data Sources
Required Tables
False Positives & Tuning
- Approved backup or deployment automation using scp/rsync/sftp under service accounts not yet whitelisted
- Large but legitimate developer artifact transfers to vendor SFTP endpoints
Other platforms for THREAT-SFTPTunnel-EncryptedProtocolExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SFTP Bulk Exfiltration to External Loopback Endpoint
Expected signal: auditd/Sysmon-for-Linux: execve record for sftp with destination 127.0.0.1:22, followed by a network connect() event and multi-second session duration with non-trivial bytes sent.
- Test 2Simulate WinSCP/scp-style Bulk Transfer on Windows
Expected signal: Sysmon Event ID 1: scp.exe execution with source/destination path in command line. Sysmon Event ID 3: network connection to 127.0.0.1:22 with sustained SentBytes.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month