# T1048 Exfiltration Over Alternative Protocol

-----------------------------------------------------------------------

## Technique Description

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.  

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. 

[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) 

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Exfiltration

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **File:** File Access

  * **Network Traffic:** Network Connection Creation

  * **Network Traffic:** Network Traffic Flow

  * **Command:** Command Execution

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1048)

  * [Palo Alto Oilrig Oct 2016](http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/), Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.

  * [20 Macos Common Tools And Techniques](https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/), Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will steal data by exfiltrating it over a different protocol than that of the existing command and control channel.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT29	
- CosmicDuke (APT29) exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers

#### Turla	
- Carbon (second-stage backdoor used by Turla) uses HTTP to send data to the C2 server.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1048 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md)
  * [Atomic Red Team T1048.003 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md)
  * [Carbon Paper Peering Turlas Second Stage Backdoor (welivesecurity)](https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- This is primarily a network technique and operators should understand that detection will most likely come from a network analyst.

#### Analytic 1

  * **Information:** Identification of alternate protocol may be identified by contextual behavior.

  * **Source:** Windows Audits, Sysmo

  * **Tool:** Kibana

  * **Notes:**

  * **Query:** ```event.code : 5156 or 3 or 4688```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```
