T1048: T1048

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 15/04/2026 18:28

Essential information

MITRE technique ID: T1048
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 15/04/2026 18:28
Author / Source: The MITRE Corporation

Aliases

Exfiltration Over Alternative Protocol

Platforms

windows macos linux Network Devices IaaS ESXi Office Suite SaaS

Description

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux `curl` may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

Palo Alto OilRig Oct 2016
mitre-attack (T1048)
20 macOS Common Tools and Techniques
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (44)

DEV-0196, QuaDream uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vice Society uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wazawaka uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lunar Spider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Karakurt uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PCPJack uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ashen Lepus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BianLian related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blackwood related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Conti related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 44

CraxsRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
jRAT - S0283 uses

Family
CCminer uses
StpProcessMonitorByovd uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DOWNBAIT uses

Family
Conti - S0575 uses

Family
Andariel Scheduled Task Malware uses

Family
Bumblebee uses
Phemedrone uses

Family
Akira uses

The MITRE Corporation Confidence 100

[Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024). [Akira](https://attack.mitre.org/software/S1129) ransomware has been used in attacks across North America, Europe,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
YDark uses

Family
InterlockRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 74

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Fake Software Tutorials on TikTok Spread Vidar Stealer related

20 MITREs 1 Malware
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
Iran Expands Handala Brand to Physical Threats related

20 MITREs 1 Malware 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Thus Spoke…The Gentlemen related

3 CVEs 20 MITREs 2 Malwares 33 Observables 1 APT
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
GopherWhisper: A burrow full of malware related

AlienVault Confidence 100 20 MITREs 7 Malwares 9 IOCs 9 Observables 1 APT
Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation … related

21 MITREs 3 Observables
New ransomware targets Turkey via Adwind RAT related

AlienVault Confidence 100 19 MITREs 4 Malwares 3 IOCs 3 Observables
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT

← Previous

Page / 4

1–12 of 44

Vulnerabilities (CVE) (30)

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2024-40766 KEV targets

9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector: Network
Published: 09/09/2024
Modified: 21/12/2025

Analyzed

CVE-2024-30088 KEV targets

7.0 High

Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.

Attack vector: Local
Published: 15/10/2024
Modified: 21/12/2025

Received

CVE-2024-57968 KEV targets

9.9 Critical

Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing …

Attack vector: Network
Published: 10/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2023-26360 KEV targets

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2020-12812 KEV targets

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-32433 KEV targets

10.0 Critical

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …

Attack vector: Network
Published: 09/06/2025
Modified: 27/05/2026

Received

CVE-2025-25181 KEV targets

5.8 Medium

A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 …

Attack vector: Network
Published: 10/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-1675 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 3

1–12 of 30

T1048.003 subtechnique-of

Exfiltration Over Unencrypted Non-C2 Protocol MITRE

Tool (1)

AADInternals uses

The MITRE Corporation Confidence 100

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

Course Of Action (4)

User Account Management mitigates
Network Segmentation mitigates
Data Loss Prevention mitigates
Filter Network Traffic mitigates

Contact About Legal notice Privacy policy Terms of use

T1048: T1048

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (44)

Malware (74)

Reports (44)

Vulnerabilities (CVE) (30)

Attack patterns (MITRE) (1)

Tool (1)

Course Of Action (4)