The Exfiltration techniques of the MITRE ATT&CK framework consist of methods used by attackers to extract or move valuable information from a targeted network. Once attackers acquire sensitive information, they have several techniques through which they exfiltrate data in order to avoid being detected by the targeted network’s defences. In most cases, exfiltration represents the final stage of the attack lifecycle, transforming an otherwise theoretical intrusion into a very real loss for the victim.
This method allows organizations to identify and stop unauthorized data transfers and to protect their intellectual property, customer, or other asset information from unauthorized access.
Understanding Exfiltration in MITRE ATT&CK:
The tactics and techniques used to exfiltrate are those that allow attackers to:
Steal sensitive data: This involves transferring financial records, trade secrets, or personally identifiable information (PII) outside of the target network.
Evade Detection: Encrypt, compress, and obfuscate the data with techniques such as encryption, compression, and obfuscation to evade DLP tools and IDS.
Use Multiple Channels: Data exfiltration can be accomplished through various communication channels, such as HTTP/S, DNS, email, or even external devices, depending on the network security policies.
Exfiltration techniques will be identified, and security teams will detect abnormal network activity, enabling them to design effective detection mechanisms and prevent data loss.
Standard Techniques in Exfiltration:
The MITRE ATT&CK framework defines several exfiltration techniques, with each being a tactic representing the way an attacker can take data out of the compromised target systems. Here’s a list of some of the primary tactics with their mitigations.
- Automated Exfiltration (T1020)
Adversaries can exfiltrate data, including sensitive documents, by using automated processing once the information has been collected. When automated exfiltration is employed, it is often combined with other techniques to move the data outside the network, such as Exfiltration Over a C2 Channel or Exfiltration Over Alternative Protocols. Tools, Silver, Empire, etc
- Data Transfer Size Limits (T1030)
An adversary may exfiltrate data in smaller, fixed-size segments rather than transferring entire files, or restrict packet sizes to remain below specific limits. This technique is often used to evade detection by avoiding alerts triggered by abnormal network data transfer thresholds. Tools: rclone, Cobalt Strike, etc
- Exfiltration Over Alternative Protocol (T1048)
Adversaries may exfiltrate data using a protocol different from the main C2 channel or send it to an alternate network location. Standard alternate protocols include FTP, SMTP, HTTP/S, DNS, and SMB, often with encryption or obfuscation to avoid detection. This technique can be executed with built-in utilities such as Net/SMB, FTP (Windows), or curl (Linux/macOS) to invoke HTTP/S or FTP/S. Other exploits include downloading sensitive data from Cloud resources such as Microsoft Exchange, SharePoint, GitHub, and AWS S3 that may be accessed using web consoles or APIs. Tools: Pupy RAT, APT34 (OilRig), APT32 (OceanLotus), etc.
- Exfiltration Over C2 Channel (T1041)
Adversaries may exfiltrate data over a different type of network medium than that of the primary C2 channel. For example, the command and control access relied on a wired Internet connection; exfiltration can occur over WiFi, mobile data, K modem, Bluetooth, or other RF channels. This approach is often chosen when attackers have the required access or proximity, since these alternative connections may be less secure or monitored compared to the primary enterprise network. Tools: cobalt strike, silver, Empire, etc
- Exfiltration Over Other Network Medium (T1011)
Adversaries may try to exfiltrate data using a different network medium than the main command-and-control (C2) channel. For instance, if adversaries connect to the C2 via a wired Internet connection, they could exfiltrate via WiFi, modem, cellular data, Bluetooth, or another RF channel instead. This method is often chosen when attackers have the required access or proximity, since these alternate connections are frequently less secure or monitored than the primary enterprise network. Tools: ODINI, Bluetooth stack tools (Linux: hciconfig, hcitool), etc.
- Exfiltration Over Physical Medium (T1052)
Adversaries can exfiltrate data via a physical medium, such as removable storage device. In some circumstances, like an air-gapped network compromise, data exfiltration can take place via external media brought in by a user. Examples of external media include USB drives, external hard disks, mobile phones, MP3 players, or other portable means of storing data. External media can serve as either the final exfiltration channel or as a conduit between two systems that would otherwise have no connection. Exfiltration over USB for example.
- Exfiltration Over Web Service (T1567)
Adversaries may leverage legitimate external web services to exfiltrate data, rather than relying solely on their primary command-and-control (C2) channel. Using well-known services provides cover, since compromised hosts are likely already communicating with these platforms, and firewall rules often allow such traffic by default. Furthermore, most web service providers use SSL/TLS which would block many adversaries initiating data exfiltration. Tools: Poison Ivy, APT34’s ALMA Communicator, and so on.
- Scheduled Transfer (T1029)
Adversaries may exfiltrate information only when a user is scheduled with an exfiltration function, too. Scheduled exfiltration allows for a time when activity appears to blend in with normal network activity or user behaviors. When exfiltration is scheduled, it is more commonly recorded and tracked with several other techniques- including Exfiltration Over a C2 Channel, or Exfiltration Over Alternative Protocols everyone moves information/ data out of their network. Tools: ShadowPad, cron, and so on.
- Transfer Data to Cloud Account (T1537)
Adversaries may exfiltrate data by syncing, sharing, or backing up cloud environments to accounts they control within the same provider. Such activity often blends in with regular traffic by using cloud APIs and internal networks, bypassing traditional monitoring. They may also leverage cloud-native features, such as anonymous file links or Azure SAS URIs, and even create full cloud backups for transfer. Tools Rclone, MEGASync, etc.
Why is exfiltration important?
Exfiltration is one of the last and most harmful stages of an attack, as it directly affects an organization’s confidentiality and integrity by
Compromising Sensitive Data: That will make attackers steal secret information such as customer information, patents, and trade secrets.
Monetize Attack: This allows them to monetize their threat through the sale of the same on black markets and by using such data in ransomware and extortion.
Conclusion
Exfiltration is one of the many critical tactics of attack, where it leads the way for the thief to steal and monetize their stolen information. It employs numerous tactics, including C2 channels, encryption, the use of cloud storage, and alternative protocols to conceal data, thereby preventing detection and allowing criminals to exfiltrate information successfully. Implementing strict monitoring, traffic analysis, and data loss prevention controls will be crucial for organizations to counter these tactics and prevent data breaches. Knowing exfiltration techniques will help defenders detect, respond to, and contain threats before sensitive data can be compromised.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
