title: Exfiltration Over Alternative Protocol (T1048)
id: df00tech-t1048
status: experimental
description: "Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data may be sent over FTP, SMTP, DNS, SMB, HTTP/S, or any other network protocol not serving as the primary C2 channel. Adversaries often encrypt or obfuscate these alternate channels. Common tools include curl, ftp.exe, WinSCP, and built-in OS utilities. DNS tunneling (encoding data in DNS query subdomains) is a particularly stealthy variant used by malware families like FrameworkPOS. IaaS and SaaS platforms (Exchange, SharePoint, GitHub, AWS S3) can also serve as exfiltration endpoints via cloud APIs or direct downloads."
references:
  - https://attack.mitre.org/techniques/T1048/
  - https://df00tech.com/detections/T1048
author: df00tech
date: 2026/04/16
tags:
  - attack.t1048
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators using curl or WinSCP for legitimate file transfers to managed SFTP/FTP endpoints
  - "Backup agents (Veeam, Commvault, Acronis) initiating large outbound transfers to cloud storage over non-HTTP protocols"
  - DevOps pipelines using scp/sftp/ftp in CI/CD scripts for artifact deployment or release publishing
  - Security tools and vulnerability scanners performing outbound SMTP or FTP tests as part of scheduled assessments
  - "Email clients (Outlook, Thunderbird) generating high SMTP/SMTPS traffic during mass mail campaigns or automated notifications"
level: high