Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0503: Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol

DET0503 matters because it points defenders toward behavioral detection for data theft that uses encrypted, non-C2 network protocols. For leaders, the key...

EnterpriseDET0503Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0503 matters because it points defenders toward behavioral detection for data theft that uses encrypted, non-C2 network protocols. For leaders, the key issue is not whether encryption exists—it usually does—but whether the organization can distinguish normal encrypted egress from unusual outbound movement of sensitive data.

Executive priority

Prioritize this as an exfiltration readiness question: can the SOC, network team, and incident responders prove they can see and investigate suspicious encrypted outbound transfers from Linux, macOS, Windows, and ESXi environments associated with T1048.001? This supports business continuity, breach response decisions, audit evidence for monitoring controls, and prioritization of egress governance around sensitive systems.

Technical view

The ATT&CK object has no official detection text or platforms of its own, but it detects T1048.001, an enterprise exfiltration technique involving symmetrically encrypted non-C2 protocols. SOC and detection teams should validate behavioral analytics around encrypted outbound traffic, alternate destinations, unusual volume or timing, abnormal source hosts, and deviations from expected application or service behavior. IR teams should ensure investigations can connect network observations back to host identity, user context, asset criticality, and data sensitivity.

Likely telemetry

  • Network flow records for outbound connections
  • Firewall, proxy, secure web gateway, or egress filtering logs
  • DNS resolution logs where applicable to destination analysis
  • Endpoint network connection telemetry from Linux, macOS, Windows, and ESXi where available
  • Asset inventory and business criticality context for systems initiating outbound transfers

Detection direction

  • Validate visibility into encrypted outbound traffic even when payload inspection is unavailable.
  • Baseline normal egress destinations, protocols, volumes, timing, and source systems; tune for deviations rather than encryption alone.
  • Correlate network behavior with endpoint process, user, and asset context to reduce false positives from legitimate backup, replication, update, or administrative transfer activity.
  • Pay special attention to alternate network locations and outbound transfers from systems that do not normally initiate large encrypted sessions.
  • Confirm coverage assumptions for Linux, macOS, Windows, and ESXi assets because the related technique lists those platforms, while this detection-strategy object itself does not specify platforms.

Mitigation priorities

  • Establish or review egress control policy for sensitive systems and restrict unnecessary outbound protocols and destinations.
  • Maintain asset, ownership, and data-sensitivity inventories so suspicious outbound transfers can be prioritized quickly.
  • Ensure centralized retention of network, DNS, proxy/firewall, and endpoint connection telemetry sufficient for incident response.
  • Use segmentation and controlled transfer paths for high-value systems to reduce unsanctioned exfiltration routes.
  • Create response playbooks for suspected encrypted exfiltration, including containment decision points, evidence preservation, and business-owner escalation.
Analyst notes and limits

This take is based on the detection strategy name, its MITRE external reference DET0503, and the relationship showing it detects T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol. Because the official detection-strategy object provides no description or detection logic, local baselines and telemetry validation are essential before claiming coverage.

No official description, detection text, tactics, or platforms are supplied for DET0503 itself. Platform and tactic context comes only from the related T1048.001 technique. This summary does not assert active exploitation, attribution, customer exposure, or guaranteed detectability.

Official MITRE ATT&CK definition

Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Sub-technique This object detects Exfiltration Over Symmetric Encrypted Non-C2 Protocol.
Relationship explorer

All related ATT&CK context

detects · Technique T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e3e9e460ea9e65aa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e3e9e460ea9e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0503
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use