216.73.217.64

T1639: Exfiltration Over Alternative Protocol

View on MITRE ATT&CK The MITRE Corporation · Published 06/04/2022 15:19 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1639
Confidence
100/100
Revoked
No
Published
06/04/2022 15:19
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Platforms

android iOS

Description

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels.

Kill chain phases

Kill chainPhase
mitre-mobile-attack exfiltration

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references