T1048.003: T1048.003

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1048.003
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Exfiltration Over Unencrypted Non-C2 Protocol

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco) Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

mitre-attack (T1048.003)
copy_cmd_cisco
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (18)

APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Thrip uses DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Donot Team uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN6 uses Magecart Group 6ITG08

The MITRE Corporation Confidence 100

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Warlock uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 18

Vynlence uses

Family
Dok uses
InvisibleFerret uses

Family
LockBit uses

Family
MiniDoor uses

Family
ccf32 uses
Latrodectus uses

Family
Tsunami uses

Family
Auto-Color uses

Family
PrismexLoader uses

Family
PUBLOAD uses

Family
CharmPower uses

← Previous

Page / 4

1–12 of 40

Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Popular node-ipc npm Package Infected with Credential Stealer related

AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation … related

21 MITREs 3 Observables
Pawn Storm Campaign Deploys PRISMEX, Targets Government and … related

15 MITREs 6 Malwares 84 Observables 1 APT
Unmasking Agent Tesla: A Deep Dive into a … related

9 MITREs 4 Observables 1 APT
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit related

11 MITREs
Increased Fog and Akira Ransomware Activity Linked to … related

1 CVE 22 MITREs 2 Malwares 16 Observables
StopRansomware: RansomHub Ransomware related

9 CVEs 23 MITREs 4 Malwares 14 Observables 1 APT

Vulnerabilities (CVE) (11)

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2023-48788 KEV targets

9.8 Critical

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Attack vector: Network
Published: 25/03/2024
Modified: 21/12/2025

CVE-2023-27997 KEV targets

9.8 Critical

Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …

Attack vector: Network
Published: 13/06/2023
Modified: 21/12/2025

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2024-40766 KEV targets

9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector: Network
Published: 09/09/2024
Modified: 21/12/2025

Analyzed

CVE-2023-46747 KEV targets

9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector: Network
Published: 31/10/2023
Modified: 21/12/2025

CVE-2020-0787 KEV targets

Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this …

Published: 28/01/2022
Modified: 21/12/2025

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2017-0144 KEV targets

8.8 High

The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.

Attack vector: NETWORK
Complexity: LOW
Published: 17/03/2017
Modified: 22/04/2026

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

Attack patterns (MITRE) (1)

T1048 subtechnique-of

Exfiltration Over Alternative Protocol MITRE

Course Of Action (4)

Data Loss Prevention mitigates
Network Segmentation mitigates
Network Intrusion Prevention mitigates
Filter Network Traffic mitigates

Campaign (2)

2025 Poland Wiper Attacks uses
C0017 uses

Tool (3)

Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
ftp uses

The MITRE Corporation Confidence 100

[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
BITSAdmin uses

The MITRE Corporation Confidence 100

[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)

Contact About Legal notice Privacy policy Terms of use