π€ Data Exfiltration: Explained
Data exfiltration is the phase where attackers move collected data out of the victim environment. Itβs the transition from passive access to active theftβoften the phase most scrutinized by blue teams, auditors, and incident responders.
This stage follows reconnaissance, privilege escalation, and data collectionβand often precedes attacker withdrawal or persistence resets.
π― Why Exfiltration Mattersβ
Exfiltration is the payoff. Whether the goal is espionage, extortion, or blackmail, exfiltrated data enables adversaries to:
- Sell or leak sensitive data.
- Leverage information for political or financial gain.
- Abuse credentials and secrets in later campaigns.
- Destroy trust and reputations.
Often, attackers stage data in a local archive (e.g., .zip, .rar, .7z) and then extract it from the system in ways designed to avoid detection or trigger minimal alerts.
π£οΈ Exfiltration Paths (aka "Channels")β
| Channel | Description | MITRE ID |
|---|---|---|
| π HTTP/HTTPS | Upload via web traffic or reverse proxy (e.g., C2 server) | T1041 |
| π© Email | Send stolen files as attachments or body payloads | T1048.003 |
| π Cloud Services | Google Drive, Dropbox, OneDrive, MEGA, etc. | T1567.002 |
| π‘ DNS Tunneling | Encode data in DNS queries | T1048.002 |
| π SMB/WebDAV Shares | Push to mounted network shares or WebDAV endpoints | T1020 |
| π External Drive | Manual copy to USB or mapped removable drives | T1052 |
| π C2 Protocols | Exfil via beacon channels (e.g., Cobalt Strike, Covenant) | T1041, T1095 |
π΅οΈ Common Techniquesβ
| Technique | Notes |
|---|---|
| π Use of Encrypted Channels | HTTPS or DNS over HTTPS to bypass inspection |
| 𧳠Staging Archives | Compress data to reduce size and evade filters |
| πͺ€ File Masquerading | Rename .rar or .7z to .jpg, .docx |
| 𧬠Steganography | Embed files in images or audio |
| π Chunked Exfiltration | Send partial data in chunks to avoid DLP detection |
| β±οΈ Timing Evasion | Exfil during off-hours or spread over long intervals |
β οΈ OPSEC Considerationsβ
| Vector | Why It Matters |
|---|---|
| DLP Systems | Trigger on sensitive data signatures or extensions |
| Traffic Anomalies | Sudden upload spikes raise red flags |
| Protocol Misuse | DNS overuse or ICMP with payloads is suspicious |
| EDR/AV Correlation | May detect archive creation and transfer behaviors |
| Proxy Logging | Reveals URLs, destinations, file sizes |
π οΈ Tools Used in the Wildβ
| Tool / Technique | Function |
|---|---|
π§° Rclone | Sync data to cloud endpoints |
π Exfiltrator-TS | Exfiltrate over multiple protocols |
π» PowerShell + Invoke-WebRequest | Upload to attacker-controlled hosts |
π¦ curl / wget | Push archives to HTTP servers |
| πͺͺ Custom malware | Embeds data exfil in beacon callbacks |
π Real-World Examplesβ
| Incident | Exfil Method |
|---|---|
| SolarWinds / UNC2452 | Encrypted HTTP POST traffic to C2 |
| Lazarus Group (Sony Breach) | Manual ZIP + transfer via SMB |
| Conti Playbook | Rclone sync to MEGA.nz |
| APT28 (Fancy Bear) | DNS tunneling via custom implant |
𧩠Defensive Strategiesβ
| Control | Countermeasure |
|---|---|
| πΌ Egress Filtering | Block unnecessary outbound protocols |
| π DLP Systems | Detect keywords, extensions, patterns |
| π Network Anomaly Detection | Alert on spikes in outbound traffic |
| π Zero Trust Access | Restrict upload permissions per context |
| π¦ File Access Monitoring | Detect ZIP creation or mass reads |
π Summaryβ
Exfiltration marks the final step in a successful compromise, where data moves from your systems to attacker-controlled infrastructure.
π§ βIf youβre monitoring ingress but not egress, youβre half-blind.β