T1048: T1048
Essential information
- MITRE technique ID
T1048- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 15/04/2026 18:28
- Author / Source
- The MITRE Corporation
Aliases
Exfiltration Over Alternative Protocol
Platforms
windows macos linux Network Devices IaaS ESXi Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | exfiltration |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (44)
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Outlaw usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Koshchei usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Phobos usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…
First seen 01/01/1970 · Last seen 16/11/5138 · -
interlock usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrazyHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100
[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon usesThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
everest usesAlienVault Confidence 100
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
ASPXSpy usesFamily The MITRE Corporation Confidence 100
[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)
First seen 01/01/1970 · Last seen 16/11/5138 · -
KingsPawn usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RagnarLocker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PCHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chaes usesFamily The MITRE Corporation Confidence 100
[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Volgmer - S0180 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CoffeeLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BoxOfFriends usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MagicRAT usesFamily The MITRE Corporation Confidence 100
[MagicRAT](https://attack.mitre.org/software/S1182) is a remote access tool developed in C++ and exclusively used by the [Lazarus Group](https://attack.mitre.org/groups/G0032) threat actor in operations. [MagicRAT](https://attack.mitre.org/software/S1182) allows for arbitrary command execution on victim…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Kobalos usesFamily The MITRE Corporation Confidence 100
[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ELF Backdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
StartBat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
14 MITREs 6 Malwares 2 Observables 1 APT
-
25 MITREs 4 Malwares 1 APT
-
16 MITREs 1 Malware 1 APT
-
7 MITREs 59 Observables 1 APT
-
12 MITREs
-
24 MITREs 1 APT
-
6 CVEs 31 MITREs 92 Observables 1 APT
-
25 MITREs 2 Malwares 9 Observables 1 APT
-
14 MITREs 1 Malware 2 Observables
-
15 MITREs 3 Malwares 5 Observables
-
26 MITREs 2 Malwares 1 Observable 1 APT
-
4 CVEs 17 MITREs 3 Malwares 17 Observables 1 APT
Vulnerabilities (CVE) (30)
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …
- Attack vector
- LOCAL
- Published
- 28/10/2025
- Modified
- 30/01/2026
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Secure Boot Security Feature Bypass Vulnerability
- Attack vector
- LOCAL
- Published
- 11/01/2022
- Modified
- 20/12/2025
Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …
- Attack vector
- Network
- Published
- 16/10/2023
- Modified
- 21/12/2025
Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
Attack patterns (MITRE) (1)
Tool (1)
-
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Course Of Action (4)
-
User Account Management mitigates
-
Network Segmentation mitigates
-
Data Loss Prevention mitigates
-
Filter Network Traffic mitigates