detection.wiki

ATT&CK coverage › Technique

Exfiltration Over Alternative Protocol T1048

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Events covered

7 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon22DNSEvent (DNS query)
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Defender-DeviceProcessEvents9001000Process activity (any)
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 11 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine5match 5/AddFileSet, /AddFile, /Transfer, copy , cpi
Image3ends_with 3, match 2\pwsh.exe, \robocopy.exe, \powershell.exe, \bcp.exe, \tapinstall.exe
OriginalFileName2eq 2PowerShell.EXE, powershell_ise.exe, XCOPY.EXE, BCP.exe
FileName1eq 1bitsadmin.exe
ScriptBlockText1match 1 -t , -p , Invoke-DNSExfiltrator
ImagePath1match 1tap0901
Provider_Name1eq 1Service Control Manager
ServiceFileName1match 1tap0901

Top indicator values (64 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
CommandLinematch/AddFileSet1
CommandLinematch/AddFile1
CommandLinematch/AddFileWithRanges1
CommandLinematch/Transfer1
FileNameeqbitsadmin.exe1
Imagematch\powershell.exe1
Imagematch\pwsh.exe12
CommandLinematchcopy 111
CommandLinematchcopy-item14
CommandLinematchcpi 14
CommandLinematch move-item1
OriginalFileNameeqpowershell_ise.exe16
CommandLinematch mi 12
Imageends_with\robocopy.exe15
CommandLinematchmove 12
CommandLinematch\Sysvol\1
OriginalFileNameeqPowerShell.EXE164
CommandLinematch\\\\*\\*$1
CommandLinematch cp 15
OriginalFileNameeqpwsh.dll172

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 8 rules

Kusto Query Language 3 rules