Exfiltration Over Alternative Protocol (T1048) is a MITRE ATT&CK technique in the Exfiltration tactic. SOC analysts detect it by monitoring for Firewall, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data exfiltration may occur over a separate channel using a different network transport protocol. Various network transmission protocols, including FTP, SFTP, DNS, SMTP, ICMP, and HTTPS to a different destination than the C2 server may be used. Adversaries choose alternative protocols for exfiltration to bypass data loss prevention controls that focus on specific monitored protocols or to use high-bandwidth channels for faster data theft. Email-based exfiltration sends data as email attachments to external accounts. FTP and cloud storage exfiltration uses legitimate file sharing services to blend in with authorized traffic. DNS-based exfiltration encodes data in DNS queries to bypass controls blocking direct data transfers.
“Exfiltration Over Alternative Protocol is documented as technique T1048 in the MITRE ATT&CK knowledge base under the Exfiltration tactic. Detection requires visibility into Firewall, SIEM telemetry.”
The following detection strategies help SOC analysts identify Exfiltration Over Alternative Protocol activity. These methods apply across Firewall, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for outbound FTP, SFTP, and SCP connections from systems that do not have legitimate reasons to transfer files to external destinations, particularly connections to IP ranges associated with commercial hosting.
Alert on large volumes of data sent via email to external addresses, particularly compressed or encrypted attachments, using email DLP policies and monitoring for attachments exceeding size thresholds.
Detect DNS-based exfiltration through analysis of DNS query volumes, subdomain entropy, and total DNS data volume per endpoint, as DNS exfiltration generates characteristic statistical signatures.
Monitor cloud storage API usage for bulk uploads to personal accounts or unapproved cloud services, including OneDrive, Dropbox, Google Drive, and Mega from corporate endpoints.
Implement egress filtering to block unauthorized use of alternative protocols for data transfer, combined with monitoring of allowed protocols for volume anomalies that may indicate data theft.
These realistic alert examples show what Exfiltration Over Alternative Protocol looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Proxy logs detected 23GB uploaded to dropbox.com from workstation WS-HR-019 over 4 hours using a personal Dropbox account not affiliated with the company. The upload contains compressed archives of files collected from corporate network shares. The volume and file sources do not match any legitimate business use case. Corporate policy prohibits uploading company data to personal cloud storage accounts.
Firewall alert: outbound FTP connection from database server DB-PROD-01 to external IP 193.32.127.51 on port 21 transferring 4.2GB. Database servers should not initiate outbound FTP connections as this is not a normal operational pattern. The transferred data includes compressed database export files created 15 minutes before the FTP session. The destination IP is not an authorized data transfer partner.
DNS monitoring system detected unusual TXT record queries from endpoint 10.5.8.122 to subdomain strings encoding binary data. Analysis of 48,000 TXT queries over 6 hours reveals base32-encoded content that reconstructs to multiple compressed files. The DNS exfiltration technique bypasses DLP tools inspecting HTTP/FTP by using a protocol that most network security controls do not deeply inspect for data content.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Exfiltration Over Alternative Protocol. Build detection skills with zero consequences — free forever.
Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infras…
Read more GlossaryData Loss Prevention (DLP) is a set of technologies and policies that detect and prevent unauthorized transmission, stor…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more Career PathDFIR Analysts combine forensic investigation with incident response. You collect and analyze digital evidence from compr…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen indicators suggest ransomware, mass file encryption, suspicious process behavior, ransom notes, or shadow copy dele…
Read more PlaybookWhen monitoring detects large outbound data transfers, unusual cloud storage uploads, or archive file creation on sensit…
Read more PlaybookWhen DNS monitoring detects anomalous query patterns, high-entropy subdomains, unusually long query strings, excessive T…
Read moreWe use cookies to improve your experience and measure usage. Learn more