Skip to content

Exfiltration Over Alternative Protocol

What: Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol refers to a technique where an attacker uses a communication protocol other than the one typically used for internet traffic (HTTP, HTTPS) to steal data from a compromised system. This category is part of the MITRE ATT&CK framework, specifically under the "Exfiltration" tactic. The idea is to utilize less common or unexpected protocols such as FTP, SMTP, ICMP, or even DNS to transmit data stealthily from the target network.

How: Mechanisms and Implementations

  1. FTP/SFTP/SCP: These file transfer protocols can be used by an attacker to send files from the compromised host to an external server controlled by them. Tools like scp or sftp are common in Linux environments and can be scripted or executed via command line.

  2. SMTP: By crafting emails with sensitive data as attachments or embedded in the message body, attackers can use SMTP to send this information directly from the compromised machine to an external email address.

  3. ICMP (Internet Control Message Protocol): Although primarily used for diagnostic and control purposes, ICMP can be repurposed for covert data exfiltration by embedding data within ICMP echo request (ping) packets.

  4. DNS Queries: Data can be encoded into DNS queries and sent to a DNS server controlled by the attacker. Since DNS is allowed through most firewalls and is essential for network operations, it's less likely to be blocked or closely monitored.

Where: Application Contexts and Network Environments

  • Corporate Networks: In environments where strict firewall rules block typical web traffic (HTTP/HTTPS), attackers might resort to alternative protocols that are allowed through the firewall.
  • High-Security Environments: In sectors like finance or government where data leakage prevention systems scrutinize HTTP/S traffic more closely, alternative protocols may provide a less monitored channel.
  • Home Networks: Less sophisticated but still effective in environments with minimal security monitoring or where default configurations allow multiple protocol traffics.

Why: Strategic Advantages

  1. Evasion of Security Measures: Many network security tools focus on inspecting HTTP/HTTPS traffic since these are commonly used for web browsing and internet communications. Alternative protocols might not be as deeply inspected, allowing malicious activities to go unnoticed.

  2. Utilization of Permitted Channels: In tightly controlled networks, certain protocols might still need to be allowed for operational purposes (e.g., ICMP for network diagnostics). Attackers exploit these "necessary" channels to bypass security controls.

  3. Stealthiness: Using non-standard protocols helps in maintaining stealth because these activities might blend in with normal network noise if not closely monitored or understood by security personnel.

By leveraging these alternative communication channels, attackers can effectively obfuscate their actions and increase their chances of maintaining persistence within a network while avoiding detection during data exfiltration processes.