T1048: T1048

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 15/04/2026 18:28

Essential information

MITRE technique ID: T1048
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 15/04/2026 18:28
Author / Source: The MITRE Corporation

Aliases

Exfiltration Over Alternative Protocol

Platforms

windows macos linux Network Devices IaaS ESXi Office Suite SaaS

Description

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux `curl` may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

Palo Alto OilRig Oct 2016
mitre-attack (T1048)
20 macOS Common Tools and Techniques
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (44)

DEV-0196, QuaDream uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vice Society uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wazawaka uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lunar Spider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Karakurt uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PCPJack uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ashen Lepus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BianLian related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blackwood related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Conti related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 44

CraxsRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
jRAT - S0283 uses

Family
CCminer uses
StpProcessMonitorByovd uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DOWNBAIT uses

Family
Conti - S0575 uses

Family
Andariel Scheduled Task Malware uses

Family
Bumblebee uses
Phemedrone uses

Family
Akira uses

The MITRE Corporation Confidence 100

[Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024). [Akira](https://attack.mitre.org/software/S1129) ransomware has been used in attacks across North America, Europe,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
YDark uses

Family
InterlockRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 74

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Fake Software Tutorials on TikTok Spread Vidar Stealer related

20 MITREs 1 Malware
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
Iran Expands Handala Brand to Physical Threats related

20 MITREs 1 Malware 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Thus Spoke…The Gentlemen related

3 CVEs 20 MITREs 2 Malwares 33 Observables 1 APT
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
GopherWhisper: A burrow full of malware related

AlienVault Confidence 100 20 MITREs 7 Malwares 9 IOCs 9 Observables 1 APT
Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation … related

21 MITREs 3 Observables
New ransomware targets Turkey via Adwind RAT related

AlienVault Confidence 100 19 MITREs 4 Malwares 3 IOCs 3 Observables
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT

← Previous

Page / 4

1–12 of 44

Vulnerabilities (CVE) (30)

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

CVE-2022-29499 KEV targets

The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2025-33073 KEV targets

8.8 High

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …

Attack vector: Network
Published: 20/10/2025
Modified: 27/05/2026

Received

CVE-2018-13379 KEV targets

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2018-0171 KEV targets

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2022-41082 KEV targets

8.0 High

Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …

Attack vector: Adjacent
Published: 30/09/2022
Modified: 20/12/2025

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2021-34527 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-20273 KEV targets

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2023-27350 KEV targets

9.8 Critical

PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …

Attack vector: Network
Published: 21/04/2023
Modified: 21/12/2025

← Previous

Page / 3

13–24 of 30

T1048.003 subtechnique-of

Exfiltration Over Unencrypted Non-C2 Protocol MITRE

Tool (1)

AADInternals uses

The MITRE Corporation Confidence 100

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

Course Of Action (4)

User Account Management mitigates
Network Segmentation mitigates
Data Loss Prevention mitigates
Filter Network Traffic mitigates

Contact About Legal notice Privacy policy Terms of use

T1048: T1048

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (44)

Malware (74)

Reports (44)

Vulnerabilities (CVE) (30)

Attack patterns (MITRE) (1)

Tool (1)

Course Of Action (4)