Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0512: Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

DET0512 is a detection strategy for identifying data theft over encrypted, non-command-and-control network protocols, tied to ATT&CK technique T1048.002. I...

EnterpriseDET0512Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0512 is a detection strategy for identifying data theft over encrypted, non-command-and-control network protocols, tied to ATT&CK technique T1048.002. Its business significance is that encryption can hide the contents of outbound data movement, so leaders should focus less on seeing the data itself and more on whether the organization can prove it monitors unusual encrypted egress from Windows, Linux, macOS, and ESXi environments.

Executive priority

Prioritize this as an exfiltration-readiness question: can the security program detect and investigate suspicious encrypted outbound transfers that are separate from known command-and-control activity? This matters for incident decision-making, audit evidence around data loss monitoring, and resilience planning because the official detection strategy has no supplied detection text; coverage must be validated locally through telemetry, egress controls, and SOC procedures.

Technical view

The related technique is Exfiltration Over Asymmetric Encrypted Non-C2 Protocol under the exfiltration tactic, with related platforms ESXi, Linux, macOS, and Windows. SOC and detection engineering teams should validate visibility into outbound encrypted network sessions, destination reputation/context, transfer volume, protocol use, host/process context where available, and deviations from normal egress patterns. Because ATT&CK does not provide official detection details for this object, detections should be treated as environment-specific hypotheses requiring tuning against legitimate encrypted business traffic.

Likely telemetry

  • Network flow records for outbound encrypted sessions
  • Firewall, proxy, secure web gateway, and egress filtering logs
  • DNS logs and destination metadata for external endpoints
  • Endpoint process-to-network connection telemetry on Windows, Linux, macOS, and ESXi where available
  • Data volume, session duration, and frequency metrics for outbound transfers

Detection direction

  • Baseline normal encrypted outbound traffic by asset type, user role, business application, destination, volume, and timing.
  • Look for unusual high-volume or recurring encrypted egress to destinations not associated with approved business services.
  • Correlate network indicators with endpoint process context where telemetry supports it, especially for servers or sensitive systems initiating unexpected external transfers.
  • Tune carefully for common false positives such as backups, software updates, cloud storage, remote administration, and legitimate file-transfer workflows.
  • Validate coverage across the related platforms listed for the technique: ESXi, Linux, macOS, and Windows.

Mitigation priorities

  • Establish or review egress control policy for systems handling sensitive data, including which encrypted protocols and destinations are allowed.
  • Improve logging retention and correlation across network, DNS, proxy/firewall, and endpoint telemetry before relying on analytics.
  • Use asset criticality and data sensitivity to prioritize monitoring for servers, virtualization infrastructure, and endpoints most likely to contain regulated or business-critical data.
  • Create incident response playbooks for suspected encrypted exfiltration that include containment, destination analysis, host triage, and data exposure scoping.
  • Maintain audit-ready evidence showing how outbound encrypted data movement is monitored, investigated, and exceptions are approved.
Analyst notes and limits

The ATT&CK object is a detection strategy, DET0512, and the supplied fields do not include an official description or official detection logic. The strongest usable context comes from its relationship to T1048.002, which describes exfiltration over an asymmetrically encrypted network protocol other than the existing C2 channel.

This take does not assert active exploitation, adversary attribution, guaranteed coverage, or specific tools. Platforms are derived from the related technique, not the detection strategy object itself. Local architecture, allowed egress paths, telemetry quality, and business-approved encrypted transfer mechanisms are required to determine practical detection coverage.

Official MITRE ATT&CK definition

Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique This object detects Exfiltration Over Asymmetric Encrypted Non-C2 Protocol.
Relationship explorer

All related ATT&CK context

detects · Technique T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8b489d6557bfdeaa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8b489d6557bf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0512
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use