T1048: T1048
Essential information
- MITRE technique ID
T1048- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 15/04/2026 18:28
- Author / Source
- The MITRE Corporation
Aliases
Exfiltration Over Alternative Protocol
Platforms
windows macos linux Network Devices IaaS ESXi Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | exfiltration |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (44)
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Outlaw usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Koshchei usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Phobos usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…
First seen 01/01/1970 · Last seen 16/11/5138 · -
interlock usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrazyHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100
[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon usesThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
everest usesAlienVault Confidence 100
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
ASPXSpy usesFamily The MITRE Corporation Confidence 100
[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)
First seen 01/01/1970 · Last seen 16/11/5138 · -
KingsPawn usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RagnarLocker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PCHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chaes usesFamily The MITRE Corporation Confidence 100
[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Volgmer - S0180 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CoffeeLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BoxOfFriends usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MagicRAT usesFamily The MITRE Corporation Confidence 100
[MagicRAT](https://attack.mitre.org/software/S1182) is a remote access tool developed in C++ and exclusively used by the [Lazarus Group](https://attack.mitre.org/groups/G0032) threat actor in operations. [MagicRAT](https://attack.mitre.org/software/S1182) allows for arbitrary command execution on victim…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Kobalos usesFamily The MITRE Corporation Confidence 100
[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ELF Backdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
StartBat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
16 MITREs 5 Observables
-
4 MITREs 1 Malware 30 Observables
-
21 MITREs 22 Malwares 60 Observables 1 APT
-
3 CVEs 32 MITREs 1 Malware 2 Observables 1 APT
-
16 MITREs 1 Malware 4 Observables 1 APT
-
12 MITREs 27 Observables
-
23 MITREs 5 Observables 1 APT
-
20 MITREs 4 Malwares 4 Observables 1 APT
Vulnerabilities (CVE) (30)
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …
- Attack vector
- Network
- Published
- 14/01/2025
- Modified
- 27/05/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 03/07/2017
- Modified
- 22/04/2026
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.
- Attack vector
- Local
- Published
- 15/10/2024
- Modified
- 21/12/2025
Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing …
- Attack vector
- Network
- Published
- 10/03/2025
- Modified
- 21/12/2025
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 27/05/2026
A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 …
- Attack vector
- Network
- Published
- 10/03/2025
- Modified
- 21/12/2025
Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Attack patterns (MITRE) (1)
Tool (1)
-
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Course Of Action (4)
-
User Account Management mitigates
-
Network Segmentation mitigates
-
Data Loss Prevention mitigates
-
Filter Network Traffic mitigates