Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil.

Upgrade to Pro
THREAT-SFTPTunnel-EncryptedProtocolExfil Splunk · SPL

Detect Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) in Splunk

Rather than tunneling stolen data through an existing C2 channel, some adversaries and insiders establish a separate, self-encrypted protocol session (SFTP, FTPS, rsync-over-SSH, scp) directly to an attacker-controlled or personal-cloud endpoint to move bulk data out. Because the session is encrypted at the protocol layer (SSH or TLS) rather than relying on the C2 implant's own crypto, payload inspection at the proxy is blind — the only visible signals are connection metadata: outbound sessions on FTP/FTPS/SSH ports to hosts outside the corporate asset inventory, unusually large or sustained sent-byte volume on those sessions, and dual-use binaries (scp.exe, sftp.exe, WinSCP.exe, rsync, openssh client) executing shortly after bulk file staging. This differs from the cloud-storage rclone/AzCopy pattern (which syncs to named SaaS cloud APIs over HTTPS) and the DNS-tunneling pattern (which hides data in the DNS protocol itself) already in this corpus by keying on standard file-transfer protocol sessions carrying their own encryption to a destination that is not a recognized corporate SFTP/backup target. APT41 and FIN13 have used scp/rsync to lift data from compromised Linux hosts, Scattered Spider affiliates have used WinSCP for SMB-network staging transfers, and Iron Tiger has used custom SSH-based exfiltration tooling. Detection requires correlating process execution of transfer clients with network session volume/destination reputation rather than payload content inspection.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  Image IN ("*\\scp.exe", "*\\sftp.exe", "*\\winscp.exe", "*\\psftp.exe", "*\\rsync.exe")
| rename Image AS TransferImage, CommandLine AS TransferCommandLine, _time AS ProcTime
| join type=inner host, User
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    DestinationPort IN (22,21,989,990,2222)
    | eval NetTime=_time
    | table host, User, DestinationIp, DestinationPort, DestinationHostname, NetTime ]
| eval TimeDeltaMin=abs((NetTime - ProcTime)/60)
| where TimeDeltaMin <= 30
| lookup corp_sftp_allowlist DestinationHostname OUTPUT is_corp
| where isnull(is_corp)
| stats count AS SessionCount, values(TransferCommandLine) AS Commands, earliest(ProcTime) AS FirstSeen, latest(NetTime) AS LastSeen
  BY host, User, TransferImage, DestinationHostname, DestinationPort
| where SessionCount > 3
| eval ThreatType="Exfil_EncryptedProtocolTransfer"
| eval RiskScore=if(SessionCount > 10, 85, 65)
| sort - RiskScore, - SessionCount
high severity medium confidence

SPL detection joining Sysmon process creation events for encrypted file-transfer clients (scp, sftp, WinSCP, rsync) with Sysmon network connection events on SSH/FTPS ports within a 30-minute window, then filtering out destinations present in a corporate SFTP allowlist lookup. Repeated sessions (>3) to an unrecognized external host are flagged as likely exfiltration since the transport encryption defeats payload inspection.

Data Sources

Sysmon via Windows Event LogSSH/FTP server audit logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized IT backup or deployment jobs using scp/rsync to hosts not yet in the corp_sftp_allowlist lookup
  • Developers pushing artifacts to vendor-hosted SFTP endpoints with business justification

Other platforms for THREAT-SFTPTunnel-EncryptedProtocolExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SFTP Bulk Exfiltration to External Loopback Endpoint

    Expected signal: auditd/Sysmon-for-Linux: execve record for sftp with destination 127.0.0.1:22, followed by a network connect() event and multi-second session duration with non-trivial bytes sent.

  2. Test 2Simulate WinSCP/scp-style Bulk Transfer on Windows

    Expected signal: Sysmon Event ID 1: scp.exe execution with source/destination path in command line. Sysmon Event ID 3: network connection to 127.0.0.1:22 with sustained SentBytes.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections