Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil.
Upgrade to ProDetect Data Exfiltration Over Encrypted Non-C2 Protocol (SFTP/FTPS/rsync-over-SSH) in Sumo Logic CSE
Rather than tunneling stolen data through an existing C2 channel, some adversaries and insiders establish a separate, self-encrypted protocol session (SFTP, FTPS, rsync-over-SSH, scp) directly to an attacker-controlled or personal-cloud endpoint to move bulk data out. Because the session is encrypted at the protocol layer (SSH or TLS) rather than relying on the C2 implant's own crypto, payload inspection at the proxy is blind — the only visible signals are connection metadata: outbound sessions on FTP/FTPS/SSH ports to hosts outside the corporate asset inventory, unusually large or sustained sent-byte volume on those sessions, and dual-use binaries (scp.exe, sftp.exe, WinSCP.exe, rsync, openssh client) executing shortly after bulk file staging. This differs from the cloud-storage rclone/AzCopy pattern (which syncs to named SaaS cloud APIs over HTTPS) and the DNS-tunneling pattern (which hides data in the DNS protocol itself) already in this corpus by keying on standard file-transfer protocol sessions carrying their own encryption to a destination that is not a recognized corporate SFTP/backup target. APT41 and FIN13 have used scp/rsync to lift data from compromised Linux hosts, Scattered Spider affiliates have used WinSCP for SMB-network staging transfers, and Iron Tiger has used custom SSH-based exfiltration tooling. Detection requires correlating process execution of transfer clients with network session volume/destination reputation rather than payload content inspection.
MITRE ATT&CK
- Tactic
- Exfiltration
Sumo Detection Query
_sourceCategory=*sysmon* OR _sourceCategory=*netflow*
| where DestinationPort in (22, 21, 989, 990, 2222)
| where (Image matches "*scp.exe" or Image matches "*sftp.exe" or Image matches "*winscp.exe" or Image matches "*rsync*")
| stats count as SessionCount, sum(SentBytes) as TotalBytesSent by ComputerName, User, Image, DestinationIp, DestinationPort
| where TotalBytesSent > 50000000 or SessionCount > 3
| sort - TotalBytesSent Sumo Logic search aggregating Sysmon/netflow events for encrypted file-transfer client sessions on SSH/FTPS ports, surfacing hosts and destinations exceeding volume or session-count thresholds indicative of bulk exfiltration.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT backup jobs using scp/rsync/sftp to hosts not yet in an internal allowlist
Other platforms for THREAT-SFTPTunnel-EncryptedProtocolExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SFTP Bulk Exfiltration to External Loopback Endpoint
Expected signal: auditd/Sysmon-for-Linux: execve record for sftp with destination 127.0.0.1:22, followed by a network connect() event and multi-second session duration with non-trivial bytes sent.
- Test 2Simulate WinSCP/scp-style Bulk Transfer on Windows
Expected signal: Sysmon Event ID 1: scp.exe execution with source/destination path in command line. Sysmon Event ID 3: network connection to 127.0.0.1:22 with sustained SentBytes.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-SFTPTunnel-EncryptedProtocolExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month