Esc
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002
(ATT&CK® Technique)
Definition
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] --> |may-transfer| CertificateFile["Certificate File"]; class T1048002 OffensiveTechniqueNode;
class CertificateFile ArtifactNode; click CertificateFile href "/dao/artifact/d3f:CertificateFile";
click T1048002 href "/offensive-technique/attack/T1048.002/"; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] --> |produces| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1048002 OffensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";
click T1048002 href "/offensive-technique/attack/T1048.002/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic"; T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] --> |produces| InternetNetworkTraffic["Internet Network Traffic"]; class T1048002 OffensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";
click T1048002 href "/offensive-technique/attack/T1048.002/"; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; CertificateAnalysis["Certificate Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
CertificateAnalysis["Certificate Analysis"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class CertificateAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click CertificateAnalysis href "/technique/d3f:CertificateAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | CertificateFile["Certificate File"];
DecoyFile["Decoy File"] -.->
| May Deceive | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class DecoyFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEviction["File Eviction"] -->
| deletes | CertificateFile["Certificate File"];
FileEviction["File Eviction"] -.->
| May Evict | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class FileEviction DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InternetNetworkTraffic["Internet Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CertificateFile["Certificate File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | CertificateFile["Certificate File"];
FileEncryption["File Encryption"] -.->
| May Harden | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class FileEncryption DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CertificateFile["Certificate File"];
LocalFilePermissions["Local File Permissions"] -.->
| May Harden | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
FileAnalysis["File Analysis"] -.->
| May Detect | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class FileAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InternetNetworkTraffic["Internet Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreFile["Restore File"] -->
| restores | CertificateFile["Certificate File"];
RestoreFile["Restore File"] -.->
| May Restore | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class RestoreFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| May Isolate | T1048002["Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetEncryptedTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";