DET0149 Detection of Exfiltration Over Unencrypted Non-C2 Protocol

Item	Value
ID	DET0149
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1048.003 (Exfiltration Over Unencrypted Non-C2 Protocol)

Analytics

Windows

AN0423

Detects data access or staging events followed by outbound data flows using unencrypted protocols (e.g., FTP, HTTP) initiated by unexpected processes or to rare destinations.

Log Sources

Data Component	Name	Channel
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Access (DC0055)	WinEventLog:Security	EventCode=4663, 4670, 4656
Network Traffic Content (DC0085)	NSM:Flow	http.log, ftp.log

Mutable Elements

Field	Description
UnencryptedProtocolList	Set of protocols considered suspicious for outbound data exfiltration (e.g., FTP, HTTP).
DataTransferSizeThreshold	Defines what amount of outbound data is considered abnormal for a host/user.
ParentProcessDenylist	Processes that should not launch FTP/HTTP clients (e.g., winword.exe launching ftp.exe).

Linux

AN0424

Detects file access or compression utilities followed by outbound connections using curl, wget, ftp, or custom binaries communicating over unencrypted protocols.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve
Network Connection Creation (DC0082)	auditd:SYSCALL	connect
Network Traffic Content (DC0085)	NSM:Flow	http.log, ftp.log
Network Traffic Flow (DC0078)	NSM:Flow	flow records

Mutable Elements

Field	Description
SensitiveDirectoryWatchlist	Flag access to paths known to store sensitive or regulated data.
ProcessBaseline	Define which binaries are allowed to communicate externally using HTTP/FTP.
TimeWindow	Correlates process/file/network within a defined time window.

macOS

AN0425

Detects abnormal outbound HTTP/FTP connections by local scripts or binaries outside of standard browser activity, following access to local documents or user data.

Log Sources

Data Component	Name	Channel
Network Traffic Flow (DC0078)	macos:osquery	socket_events
Process Creation (DC0032)	macos:osquery	process_events
File Access (DC0055)	macos:unifiedlog	log stream - file subsystem
Network Traffic Content (DC0085)	NSM:Flow	http.log, ftp.log

Mutable Elements

Field	Description
ScriptedClientAllowlist	Defines allowed automated agents that may transmit HTTP or FTP data (e.g., backup tools).
PayloadInspectionKeywordList	Terms or patterns indicating structured or sensitive data leaving via HTTP/FTP.

ESXi

AN0426

Detects shell-based scripts accessing configuration files or snapshots and transmitting them over unencrypted protocols such as FTP or HTTP to non-management IPs.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	esxi:hostd	event stream
Network Traffic Flow (DC0078)	NSM:Flow	flow records
Network Traffic Content (DC0085)	NSM:Flow	http.log

Mutable Elements

Field	Description
VMConfigAccessPathWatchlist	Locations of VMX/CFG/SNAPSHOT files that should not be accessed by non-admin shells.
OutboundProtocolProfile	Expected network protocols for guest and host interfaces.

Network Devices

AN0427

Detects use of unencrypted protocols (e.g., TFTP, FTP, HTTP) to transfer configuration files, routing tables, or logs to untrusted IP addresses, especially using administrative commands like copy run ftp:.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	networkdevice:cli	CLI command logs
Network Traffic Flow (DC0078)	networkdevice:syslog	flow records
Network Traffic Content (DC0085)	NSM:Flow	PCAP inspection

Mutable Elements

Field	Description
ProtocolCommandWatchlist	Flag commands like `copy`, `archive tar`, or `upload` directed at external hosts.
DestinationIPBlocklist	Define external IP ranges unauthorized to receive router/switch configs.