Data Exfiltration Techniques

The final step in many attacks involves extracting valuable data from the target environment. Exfiltration must move data out without triggering alerts, often the most visible phase of an operation if done carelessly.

Planning Exfiltration

Before exfiltrating, identify what data matters and where it resides. Not everything is worth extracting—focusing on specific valuable targets accomplishes objectives efficiently.

Data volume affects exfiltration approach. Megabytes move quickly through common channels. Gigabytes require more planning. Terabytes might require physical means or extended low-volume extraction over weeks.

Network controls shape available channels. Organizations might block known file sharing services, inspect SSL traffic, or closely monitor cloud service usage. Understanding controls reveals viable exfiltration paths.

Technical Channels

HTTP/HTTPS exfiltration leverages the most common permitted protocol. Uploading to attacker-controlled web servers, cloud storage, or compromised sites all work. HTTPS encryption prevents content inspection by intermediate security devices.

DNS tunneling encodes data within DNS queries, a protocol almost universally permitted. DNS queries for attacker-controlled domains carry encoded data in the subdomain portion. Responses can carry return data. This channel is slow but often unmonitored.

Cloud services provide convenient exfiltration channels, especially when the organization legitimately uses those services. Uploading to OneDrive, Google Drive, or Amazon S3 blend with normal cloud usage patterns.

Encrypted channels to legitimate services frustrate inspection. Attackers who exfiltrate through established cloud services over TLS give defenders little visibility into the data volume or content transmitted.

Avoiding Detection

DLP systems look for sensitive data patterns leaving the network. Encryption defeats content inspection. Splitting files across many transfers defeats pattern matching on complete documents.

Rate limiting keeps traffic volumes inconspicuous. Gradually exfiltrating data over days or weeks produces less noticeable traffic patterns than bulk transfers. Scheduling transfers during normal business hours when data naturally moves provides further cover.

Obscuring destinations helps avoid reputation-based blocking. Using legitimate cloud services, freshly registered domains, or compromised infrastructure all have their place.

For red team operations, demonstrating exfiltration capability might matter more than actually extracting data. Proving the ability to exfiltrate sensitive documents without actually removing data avoids unnecessary risk exposure for the organization.