T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol

Technique

T1048.003

Tactics

Exfiltration

MISP citations

0

KEV CVEs mapped

1

Community rules

9

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1048/003

MITRE description

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco) Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-34473

Detection coverage

SigmaHQ community rules

• Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet (threat-hunting)
• Data Exfiltration with Wget (core)
• Python WebServer Execution - Linux (core)
• Suspicious DNS Query with B64 Encoded String (core)
• WebDav Put Request (core)
• Suspicious Outbound SMTP Connections (core)
• PowerShell ICMP Exfiltration (core)
• WebDav Client Execution Via Rundll32.EXE (core)
• Suspicious WebDav Client Execution Via Rundll32.EXE (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.