Skip to content

DET0131 Behavioral Detection Strategy for Exfiltration Over Alternative Protocol

Item Value
ID DET0131
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1048 (Exfiltration Over Alternative Protocol)

Analytics

Windows

AN0367

Detects unusual outbound file transfer behavior using protocols like FTP, SMB, SMTP, or DNS, involving non-standard processes, off-hour activity, or uncommonly high volume.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Mutable Elements
Field Description
DataVolumeThresholdMB Set threshold for outbound volume (e.g., >50MB in a single connection).
ProtocolAllowList Allow-listed protocols in use for specific machines or users (e.g., FTP allowed for backups).
TimeWindow Define allowed time-of-day windows (e.g., flag after-hours file transfer).
ParentProcessAnomaly Identify anomalous parent-child process relationships (e.g., winword.exe spawning ftp.exe).

Linux

AN0368

Detects file exfiltration using tools like curl, scp, or custom binaries over protocols such as FTP, HTTP/S, or DNS tunneling, especially outside baseline user behavior.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Connection Creation (DC0082) auditd:SYSCALL connect
File Access (DC0055) auditd:SYSCALL open
File Modification (DC0061) auditd:SYSCALL write
Network Traffic Flow (DC0078) NSM:Flow NetFlow/Zeek conn.log
Mutable Elements
Field Description
ProtocolType Flag unexpected protocols (e.g., HTTP on port 53 or FTP traffic from non-standard tools).
UserContext Scope for privilege escalation or service account behavior.
FileExtensionSensitivity Track movement of file types of interest (e.g., .csv, .sql, .key).

macOS

AN0369

Detects non-native file transfer via curl, Python scripts, or AppleScript using uncommon protocols like FTP, SMTP, or DNS exfiltration through mDNSResponder abuse.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog log stream (subsystem: com.apple.system.networking)
Process Creation (DC0032) macos:osquery process_events
File Creation (DC0039) macos:osquery file_events
Mutable Elements
Field Description
ProtocolUnusualnessScore Weight rarely-used protocols in user space.
ExecutableBaselining Track which binaries usually call curl/nc and alert on deviation.

IaaS

AN0370

Detects access to cloud APIs or CLI tools to move or sync files from sensitive buckets to external endpoints using protocols like HTTPS or S3 APIs.

Log Sources
Data Component Name Channel
Cloud Storage Access (DC0025) AWS:CloudTrail GetObject, CopyObject
Network Traffic Flow (DC0078) AWS:VPCFlowLogs Outbound data flows
Mutable Elements
Field Description
IAMRoleContext Detect unauthorized use of roles for cloud storage manipulation.
GeoDestinationThreshold Alert on outbound flows to geo-locations not seen in training baseline.

ESXi

AN0371

Detects outbound traffic from hostd/vpxa or guest VM interfaces using unauthorized protocols such as FTP, HTTP POST bursts, or long-lived DNS tunnels.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd logline inspection
Network Connection Creation (DC0082) esxi:vmkernel protocol egress
Mutable Elements
Field Description
GuestTrafficBaseline Expected protocols used by VMs attached to host interfaces.
ServiceAccountProfile Unexpected network activity from hypervisor processes or monitoring agents.