Description
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
Platforms
Mitigations (4)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.
Data Loss PreventionM1057
Data loss prevention can detect and block sensitive data being sent over unencrypted protocols.
Filter Network TrafficM1037
Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network.
Network SegmentationM1030
Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.(Citation: TechNet Firewall Design)
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraBravo-Two generates an email message via SMTP containing information about newly ... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used FTP to exfiltrate collected data.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| G0076 | Thrip | [Thrip](https://attack.mitre.org/groups/G0076) has used WinSCP to exfiltrate data from a targeted organization over FTP.(Citation: Symantec Thrip June... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.(Citation: ESET Oce... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has exfiltrated configuration files from exploited network devices over FTP and TFTP.(Citation: ... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used FTP to exfiltrate archive files.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL S... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has exfiltrated victim information using FTP.(Citation: ESET Contagious Interview Beaver... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated victim information using FTP.(Citation: DFIR Ryuk's Return October 2020)(Citati... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over D... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used FTP to exfiltrate files (separately from the C2 channel).(Citation: Symantec Elfin Mar 2019) |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has sent stolen payment card data to remote servers via HTTP POSTs.(Citation: Trend Micro FIN6 October 2... |
Associated Software (22)
| ID | Name | Type | Context |
|---|---|---|---|
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.(Citation: Kaspersky P... |
| S0492 | CookieMiner | Malware | [CookieMiner](https://attack.mitre.org/software/S0492) has used the <code>curl --upload-file</code> command to exfiltrate data over HTTP.(Citation: Un... |
| S1043 | ccf32 | Malware | [ccf32](https://attack.mitre.org/software/S1043) can upload collected data and files to an FTP server.(Citation: Bitdefender FunnyDream Campaign Novem... |
| S1116 | WARPWIRE | Malware | [WARPWIRE](https://attack.mitre.org/software/S1116) can send captured credentials to C2 via HTTP `GET` or `POST` requests.(Citation: Mandiant Cutting ... |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has used FTP to exfiltrate reconnaissance data out.(Citation: Medium KONNI Jan 2020) |
| S0252 | Brave Prince | Malware | Some [Brave Prince](https://attack.mitre.org/software/S0252) variants have used South Korea's Daum email service to exfiltrate information, and later... |
| S0674 | CharmPower | Malware | [CharmPower](https://attack.mitre.org/software/S0674) can send victim data via FTP with credentials hardcoded in the script.(Citation: Check Point APT... |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configure... |
| S0212 | CORALDECK | Malware | [CORALDECK](https://attack.mitre.org/software/S0212) has exfiltrated data in HTTP POST headers.(Citation: FireEye APT37 Feb 2018) |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)(C... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has used [ftp](https://attack.mitre.org/software/S0095) for exfiltration.(Citation: Talos PoetRAT A... |
| S0335 | Carbon | Malware | [Carbon](https://attack.mitre.org/software/S0335) uses HTTP to send data to the C2 server.(Citation: ESET Carbon Mar 2017) |
| S0190 | BITSAdmin | Tool | [BITSAdmin](https://attack.mitre.org/software/S0190) can be used to create [BITS Jobs](https://attack.mitre.org/techniques/T1197) to upload files from... |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) exfiltrates logs of its execution stored in the <code>/tmp</code> folder over FTP using the <code>curl<... |
| S0095 | ftp | Tool | [ftp](https://attack.mitre.org/software/S0095) may be used to exfiltrate data separate from the main command and control protocol.(Citation: Microsoft... |
| S0487 | Kessel | Malware | [Kessel](https://attack.mitre.org/software/S0487) can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.(Citation: ESET... |
| S0466 | WindTail | Malware | [WindTail](https://attack.mitre.org/software/S0466) has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.(... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has leveraged `curl` for data exfiltration over FTP by uploading RAR archives containing targeted f... |
| S1124 | SocGholish | Malware | [SocGholish](https://attack.mitre.org/software/S1124) can exfiltrate data directly to its C2 domain via HTTP.(Citation: Red Canary SocGholish March 20... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has used FTP to exfiltrate files and directories using the command `ssh_upload` which conta... |
References
- Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Frequently Asked Questions
What is T1048.003 (Exfiltration Over Unencrypted Non-C2 Protocol)?
T1048.003 is a MITRE ATT&CK technique named 'Exfiltration Over Unencrypted Non-C2 Protocol'. It belongs to the Exfiltration tactic(s). Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network locat...
How can T1048.003 be detected?
Detection of T1048.003 (Exfiltration Over Unencrypted Non-C2 Protocol) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1048.003?
There are 4 documented mitigations for T1048.003. Key mitigations include: Network Intrusion Prevention, Data Loss Prevention, Filter Network Traffic, Network Segmentation.
Which threat groups use T1048.003?
Known threat groups using T1048.003 include: Lazarus Group, FIN8, Thrip, APT32, Salt Typhoon, Mustang Panda, Contagious Interview, Wizard Spider.