Skip to main content
Login
Start free trialContact Sales

New

Read more
About usPartnersSupport|Login

Hunting with Elastic Security: Detecting covert data exfiltration

By

Justin Higdon

1-175401_-_Blog_Header_Image-_ELK_Hunting_Series-1.jpg

Not all network traffic is what it seems. Some flows conceal secrets, quietly exfiltrating sensitive data beyond your defenses. MITRE ATT&CK® T1048 - Exfiltration Over Alternative Protocol is a stealth technique adversaries use to smuggle data out of your environment by bypassing traditional security controls. Whether tunneling through ICMP, abusing DNS, or leveraging obscure application protocols, attackers exploit these alternative pathways to avoid detection and sneak critical information past your defenses.

Hunting with Elastic Security

The risks are severe — intellectual property, credentials, or confidential data could be extracted without a trace. Could these seemingly ordinary data streams hide something more sinister? An adversary may already be using T1048 to outmaneuver your security. DNS queries, ICMP echoes, or unexpected protocol usage might be concealing exfiltrated data.

This blog will arm you with the knowledge and tools to detect these covert exfiltration methods. By analyzing logs, dissecting traffic patterns, and leveraging ES|QL, you’ll uncover hidden threats and expose adversarial tactics. Can you stop data from slipping through the cracks, or will exfiltration routes remain undetected? It’s time to find out — the hunt begins now!

Understanding the technique

MITRE ATT&CK technique T1048, known as "Exfiltration Over Alternative Protocol," involves adversaries transferring stolen data using protocols different from their primary command and control (C2) channels. This method enables attackers to bypass security measures that monitor standard C2 traffic, thereby reducing the likelihood of detection. Commonly exploited protocols include FTP, SMTP, HTTP/S, DNS, and SMB. Adversaries may also employ encryption or obfuscation to further conceal the exfiltration process. (attack.mitre.org)

Sub-techniques of T1048

1. T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

  • Description: Adversaries exfiltrate data over a symmetrically encrypted network protocol distinct from the existing C2 channel. Symmetric encryption uses the same key for both encryption and decryption, necessitating a shared secret between communicating parties.

  • Example: Utilizing protocols like HTTPS, where data is encrypted symmetrically after an initial key exchange, to transfer stolen information to a different server

2. T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

  • Description: In this method, adversaries exfiltrate data using an asymmetrically encrypted protocol separate from the primary C2 channel. Asymmetric encryption employs a pair of keys — public and private — for encryption and decryption, enhancing security by eliminating the need for a shared secret.

  • Example: Leveraging protocols that use asymmetric encryption for secure data transfer to an alternate destination

3. T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol

  • Description: Adversaries exfiltrate data over an unencrypted network protocol different from the main C2 channel. This approach may involve obfuscating data within protocols that are typically unencrypted, such as HTTP, FTP, or DNS.

  • Example: Embedding stolen data within HTTP requests to a web server controlled by the attacker without employing encryption, relying instead on data obfuscation techniques

By leveraging alternative protocols, adversaries exploit gaps in security tools and monitoring strategies. For example, ICMP packets typically used for diagnostic purposes can be manipulated to carry data payloads, and DNS requests can be crafted to exfiltrate data under the guise of normal traffic. These tactics create significant challenges for defenders, who must analyze benign-looking traffic for hidden threats.

Understanding the significance of T1048 and its sub-techniques is critical for building robust defenses. By focusing on suspicious patterns in network traffic and scrutinizing less-monitored protocols, you can expose exfiltration attempts before they succeed. Proactively addressing these threats ensures your organization’s most valuable assets remain secure.

Data sources to optimize the hunt

To effectively detect T1048 activities, consider the following data sources and their respective Elastic integrations:

1. Application logs: Monitor logs from applications handling data transfers.

  • Detects: Unusual file downloads from cloud services like Google Drive or Microsoft OneDrive, such as multiple downloads by a single user in a short period

  • Elastic integration: Elastic Agent can be configured with centrally managed  integrations and ship application logs to Elastic.

2. Cloud storage access logs: Track access to cloud storage services.

  • Detects: Unusual queries or access patterns, especially from unexpected sources, indicating potential improper permissions or unauthorized access

  • Elastic integration: Elastic Agent can be configured with out-of-the-box integrations to collect cloud storage access logs.

3. Command execution logs: Record executed commands and their arguments.

  • Detects: Commands that initiate data transfers, such as curl,ftp, or scp, which may indicate exfiltration attempts

  • Elastic integration: You can leverage one of Elastic’s many integrations to collect executed commands and their arguments. An integration you could utilize is the System.

4. File access logs: Monitor access to files, especially sensitive ones.

5. Network traffic logs: Analyze network connections and data flows.

  • Detects: New or unusual network connections, especially to untrusted hosts, and traffic patterns that don't conform to expected protocols

  • Elastic integration: For network logs, you can leverage one of Elastic’s many integrations. Most firewall integrations will ingest the required data correctly. You could also utilize the Network Packet Capture to capture and analyze network traffic.

6. User activity logs: Monitor and analyze user activity.

  • Detects: Users initiating large or unusual data transfers, which may be precursors to exfiltration

    Elastic integration: Use Elastic Endpoint Security or another Elastic integration that collects logging information from a third party for monitoring user activity logs.

Threat hunting with ES|QL queries

To uncover adversaries leveraging T1048 - Exfiltration Over Alternative Protocol, we need to analyze network behaviors, process activities, and data flows for signs of hidden exfiltration. By leveraging Elastic Common Schema (ECS), these data sources are parsed and normalized into a consistent format, ensuring more effective correlation and detection across diverse logs. Below are ES|QL queries designed to detect specific aspects of this technique, using ECS fields to streamline analysis and enhance threat-hunting capabilities.

1. Identify non-standard protocol usage

FROM logs-*
| WHERE network.protocol NOT IN ("http", "https", "ftp") AND network.direction == "egress"
| STATS bytes_out = sum (network.bytes) by source.ip,destination.ip, network.protocol

Explanation: This query identifies traffic using non-standard protocols, excluding common ones like HTTP, HTTPS, FTP, and SSH. Non-standard protocols are less frequently used for legitimate purposes and are often exploited by adversaries for covert communication or data exfiltration.

2. Cross-reference with firewall logs

FROM logs-*
| WHERE event.outcome == "success" AND destination.port IN (53, 123, 69)
| KEEP destination.ip, rule.name, event.outcome

Explanation: This query identifies firewall rules that allow traffic on specific ports commonly associated with alternative protocols, such as DNS (port 53), NTP (port 123), or TFTP (port 69). Monitoring these logs helps uncover potential misconfigurations or malicious activity where attackers are leveraging non-standard ports for data exfiltration.

  • By correlating this data with other logs (e.g., application or host logs), analysts can validate the legitimacy of the traffic and identify malicious activities.

3. Correlate with host-based connections

FROM logs-*
| WHERE network.protocol == "dns" AND network.direction == "egress"
| STATS bytes_out = sum(network.bytes) by source.ip, destination.ip, network.protocol

Explanation: This query focuses on host-based DNS connections with a significant amount of outbound traffic. Monitoring host-level DNS activity allows analysts to identify endpoints generating excessive data transfers over DNS, which could signal suspicious behavior such as DNS tunneling for data exfiltration.

4. Detect large outbound DNS queries

FROM logs-*
| WHERE network.protocol == "dns" 
| EVAL dns_length = length(dns.question.name)
| WHERE dns_length > 100
| KEEP source.ip, destination.ip, dns.question.name, dns_length, @timestamp

Explanation: This query identifies large DNS queries, which may indicate suspicious activity such as DNS tunneling. DNS is primarily used for resolving domain names into IP addresses, and legitimate DNS queries are typically concise. However, attackers can exploit the DNS protocol to encode and exfiltrate data, resulting in unusually large query lengths.

  • By monitoring the length of DNS queries and correlating them with known patterns of DNS tunneling, defenders can act quickly to block malicious domains or implement additional restrictions.

This query provides a simple yet powerful mechanism for detecting potential data exfiltration attempts over DNS, allowing organizations to proactively address a common technique used by adversaries.

5. Identify ICMP traffic with data payloads

FROM logs-*
| WHERE network.transport == "icmp" 
  AND network.bytes > 0
| KEEP source.ip, destination.ip, network.bytes, @timestamp

Explanation: This query detects ICMP (Internet Control Message Protocol) traffic with a non-empty payload. ICMP is primarily used for diagnostic purposes, such as pinging a host to check its availability. Typically, ICMP packets carry minimal or no payload data, so the presence of a payload is unusual and can indicate covert activity.

6. Monitor outbound FTP connections

FROM logs-*
| WHERE process.name == "ftp" AND network.direction IN ("outbound", "egress", "external")
| KEEP user.name, source.ip, destination.ip, network.bytes, @timestamp

Explanation: This query focuses on detecting outbound FTP (File Transfer Protocol) connections. FTP is a protocol commonly used for transferring files between systems, both internally and externally. While legitimate in some environments, its use for outbound connections, especially to unknown or untrusted destinations, is a potential indicator of data exfiltration.

7. Identify outbound SMB traffic

FROM logs-*
| WHERE network.protocol == "smb" AND network.direction IN ("outbound", "egress", "external")
| KEEP source.ip, destination.ip

Explanation: This query focuses on detecting outbound SMB traffic, which is often a red flag for potential data exfiltration. SMB (Server Message Block) is a protocol primarily used for file sharing, printer sharing, and other networked resource access within an organization’s internal network.

8. Detect abnormal application data transfer activity

FROM logs-*
| WHERE event.category == "file"
  AND process.name IN ("dropbox", "google-drive", "onedrive")
  AND event.action == "creation"
  AND file.size > 5000000
| KEEP user.name, process.name, event.action, file.size, source.ip, destination.ip, @timestamp

Explanation: This query monitors application logs for abnormal file uploads through popular file-sharing applications like Dropbox, Google Drive, and OneDrive. It flags large file uploads (over 5MB) that could indicate potential data exfiltration.

  • Correlating the process name (process.name) with the user (user.name) and upload size (bytes_out) provides deeper context, helping analysts differentiate between normal and suspicious activity.

The next challenge: Stay vigilant

The hunt for exfiltration pathways has come to an end, but what did you uncover? Were the whispers in your network a false alarm, or did you expose an adversary stealthily siphoning data through alternative protocols? By digging into DNS queries, scrutinizing ICMP payloads, and monitoring less-traveled protocols, you’ve shone a light on hidden streams that could carry sensitive information beyond your defenses.

If you found signs of T1048 - Exfiltration Over Alternative Protocol, you’ve taken critical steps to disrupt the adversary’s escape route and protect your organization’s most valuable assets. If not, your proactive approach has validated your defenses, ensuring your network is resilient against covert exfiltration attempts. Either way, your efforts have bolstered your security posture and sharpened your detection capabilities.

The challenge now is to remain vigilant. Adversaries are constantly refining their techniques, seeking new ways to bypass traditional monitoring. Remember, every DNS query, ICMP packet, or unusual protocol is a potential signal of malicious intent. The hunt may be over for today, but the lessons you’ve learned and the tools you’ve honed will serve you in future battles.

So, did you catch the adversary in the act, or can you confidently say your defenses held firm? Either way, your network is safer, and your skills as a hunter are sharper. Want to stay ahead of the latest threats? Learn how Elastic Security can help you detect, investigate, and respond to modern attacks with cutting-edge research and techniques. Visit Elastic Security Labs to explore expert insights, real-world threat analysis, and powerful defense strategies.

The logs don’t lie — let them guide your hunt.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

Sign up for Elastic Cloud free trial

Spin up a fully loaded deployment on the cloud provider you choose. As the company behind Elasticsearch, we bring our features and support to your Elastic clusters in the cloud.

Start free trial