T1048: T1048

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 15/04/2026 18:28

Essential information

MITRE technique ID: T1048
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 15/04/2026 18:28
Author / Source: The MITRE Corporation

Aliases

Exfiltration Over Alternative Protocol

Platforms

windows macos linux Network Devices IaaS ESXi Office Suite SaaS

Description

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux `curl` may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

Palo Alto OilRig Oct 2016
mitre-attack (T1048)
20 macOS Common Tools and Techniques
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (44)

Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Outlaw uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Koshchei uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Phobos uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cinnamon Tempest uses DEV-0401Emperor Dragonfly

The MITRE Corporation Confidence 100

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…

First seen 01/01/1970 · Last seen 16/11/5138 ·
interlock uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
CrazyHunter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
everest uses

AlienVault Confidence 100

Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel uses Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 44

CraxsRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
jRAT - S0283 uses

Family
CCminer uses
StpProcessMonitorByovd uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DOWNBAIT uses

Family
Conti - S0575 uses

Family
Andariel Scheduled Task Malware uses

Family
Bumblebee uses
Phemedrone uses

Family
Akira uses

The MITRE Corporation Confidence 100

[Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024). [Akira](https://attack.mitre.org/software/S1129) ransomware has been used in attacks across North America, Europe,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
YDark uses

Family
InterlockRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 74

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Fake Software Tutorials on TikTok Spread Vidar Stealer related

20 MITREs 1 Malware
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
Iran Expands Handala Brand to Physical Threats related

20 MITREs 1 Malware 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Thus Spoke…The Gentlemen related

3 CVEs 20 MITREs 2 Malwares 33 Observables 1 APT
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
GopherWhisper: A burrow full of malware related

AlienVault Confidence 100 20 MITREs 7 Malwares 9 IOCs 9 Observables 1 APT
Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation … related

21 MITREs 3 Observables
New ransomware targets Turkey via Adwind RAT related

AlienVault Confidence 100 19 MITREs 4 Malwares 3 IOCs 3 Observables
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT

← Previous

Page / 4

1–12 of 44

Vulnerabilities (CVE) (30)

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2022-21894 targets

4.4 Medium

Secure Boot Security Feature Bypass Vulnerability

Attack vector: LOCAL
Published: 11/01/2022
Modified: 20/12/2025

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

← Previous

Page / 3

25–30 of 30

T1048.003 subtechnique-of

Exfiltration Over Unencrypted Non-C2 Protocol MITRE

Tool (1)

AADInternals uses

The MITRE Corporation Confidence 100

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

Course Of Action (4)

User Account Management mitigates
Network Segmentation mitigates
Data Loss Prevention mitigates
Filter Network Traffic mitigates

Contact About Legal notice Privacy policy Terms of use

T1048: T1048

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (44)

Malware (74)

Reports (44)

Vulnerabilities (CVE) (30)

Attack patterns (MITRE) (1)

Tool (1)

Course Of Action (4)