Skip to content

DET0512 Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Item Value
ID DET0512
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1048.002 (Exfiltration Over Asymmetric Encrypted Non-C2 Protocol)

Analytics

Windows

AN1413

Detects non-browser processes that establish encrypted outbound connections (e.g., TLS/SSL) to unfamiliar or atypical destinations for the host/user, following a data staging or compression event.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Network Traffic Content (DC0085) NSM:Flow ssl.log - Certificate Analysis
Mutable Elements
Field Description
TimeWindow Correlates file access, encryption, and network transmission within a timeframe (e.g., 5 minutes).
CertificateIssuerDenylist Blocks or flags untrusted certificate authorities in SSL/TLS handshakes.
BinaryAllowlist Whitelist for known-good applications allowed to use encrypted outbound traffic.

Linux

AN1414

Detects staged file access (e.g., archive or obfuscation), followed by an encrypted outbound connection (TLS/HTTPS) from unusual processes such as curl/wget, Python scripts, or custom binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Connection Creation (DC0082) auditd:SYSCALL connect
Network Traffic Content (DC0085) NSM:Flow ssl.log, conn.log
File Access (DC0055) auditd:SYSCALL open, read
Mutable Elements
Field Description
ConnectionDestinationScope Restrict outbound connections to non-corporate domains or IPs.
FileAccessExtensionList List of extensions considered sensitive or exfil-worthy (e.g., .zip, .db, .xlsx).
SSLClientProcessBaseline Define normal encrypted-traffic-capable binaries.

macOS

AN1415

Detects abnormal encrypted network connections (via TLS/HTTPS) initiated by non-browser binaries, particularly after sensitive file access or compression events.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:osquery socket_events
Process Creation (DC0032) macos:osquery process_events
File Access (DC0055) macos:unifiedlog log stream - file provider subsystem
Network Traffic Content (DC0085) NSM:Flow ssl.log, x509.log
Mutable Elements
Field Description
OutboundTrafficVolumeThreshold Trigger detection for large amounts of outbound encrypted data.
FileSensitivityContext Tagging and prioritizing high-value directories/files in detection logic.

ESXi

AN1416

Detects unexpected encrypted outbound connections from management components or guest VMs using TLS, particularly after data volume spikes or script-based orchestration from within guest environments.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd event stream
Network Traffic Flow (DC0078) esxi:vmkernel egress logs
Mutable Elements
Field Description
VMToEgressPathWatchlist Expected traffic routes for monitored VMs.
TLSClientAppIdentifier Applications allowed to initiate TLS sessions from hypervisor level.