DET0149: Detection of Exfiltration Over Unencrypted Non-C2 Protocol
DET0149 is a detection strategy for spotting data theft that uses ordinary unencrypted protocols outside the attacker’s main command-and-control channel. T...
Analyst context for executives and security teams
DET0149 is a detection strategy for spotting data theft that uses ordinary unencrypted protocols outside the attacker’s main command-and-control channel. The business issue is not just “network traffic”: if sensitive data leaves through common services such as HTTP, FTP, or DNS-like patterns, the activity may blend into routine operations unless the organization has usable network visibility and clear baselines.
Executive priority
Treat this as a validation point for exfiltration readiness. Leaders should ask whether the SOC can prove it monitors unencrypted outbound data movement from relevant enterprise environments, including Linux, macOS, ESXi, and network devices where applicable to the related ATT&CK technique. This matters for incident decision-making, audit evidence, and resilience because delayed confirmation of data loss can expand legal, regulatory, and customer notification uncertainty.
Technical view
The supplied ATT&CK object has no official description or detection text, so teams should anchor validation to the related technique T1048.003: exfiltration over unencrypted non-C2 protocols. SOC and detection engineering should review outbound network monitoring for unusual volume, destination, timing, protocol use, and encoded or compressed content sent over natively unencrypted protocols. IR teams should ensure playbooks can distinguish legitimate administrative or business transfers from suspicious alternate-channel exfiltration.
Likely telemetry
- Outbound network flow records and session metadata
- Proxy, web gateway, FTP, DNS, and other unencrypted protocol logs where collected
- Firewall and network device logs showing destination, port, protocol, bytes sent, and timing
- Packet capture or content inspection metadata where legally and operationally permitted
- Host-to-network correlation for Linux, macOS, ESXi, and network devices when those platforms are in scope
Detection direction
- Validate that detections are not limited to known command-and-control channels; the related technique specifically concerns alternate non-C2 exfiltration paths.
- Baseline normal outbound transfer volume and destinations by asset role to reduce false positives from backups, software distribution, telemetry, and approved file movement.
- Look for abnormal use of unencrypted protocols, unusual external destinations, large or repeated outbound transfers, and encoded or compressed content patterns when visibility supports it.
- Confirm coverage for network devices and infrastructure platforms where local endpoint telemetry may be limited.
- Document blind spots where encryption, missing egress logs, NAT aggregation, or lack of asset ownership context prevents confident triage.
Mitigation priorities
- Prioritize egress visibility and retention for unencrypted outbound protocols before relying on alert logic.
- Restrict or govern outbound protocols and destinations based on business need, especially from servers and infrastructure devices.
- Maintain asset and data-flow inventories so SOC teams can identify unauthorized transfer paths quickly.
- Use approved secure transfer mechanisms and monitor for deviations to unencrypted alternatives.
- Test incident response procedures for suspected data exfiltration, including evidence preservation and business/legal escalation thresholds.
Analyst notes and limits
This take is based on the DET0149 detection-strategy object and its relationship to ATT&CK technique T1048.003. The detection strategy itself does not provide official detection logic, platforms, or tactics, so practical guidance is derived conservatively from the related technique’s exfiltration context and listed platforms.
No official DET0149 description or detection content was supplied. Local protocol use, logging architecture, data classifications, and allowed egress paths are required to determine actual coverage, alert thresholds, and false-positive handling.
Detection of Exfiltration Over Unencrypted Non-C2 Protocol
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | This object detects Exfiltration Over Unencrypted Non-C2 Protocol. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a780da1b18da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0149Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.