Exfiltration Over Alternative Protocol

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels.

ID: T1639
Sub-techniques:  T1639.001
Tactic Type: Post-Adversary Device Access
Tactic: Exfiltration
Platforms: Android, iOS
MTC ID: APP-30
Version: 1.1
Created: 06 April 2022
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S1056 TianySpy

TianySpy can exfiltrate collected user data, including credentials and authorized cookies, via email.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References