Exfiltration
Techniques
| ID | Name | Description |
|---|---|---|
| EST000177 | Data Compressed | A Cyber Embedded Technique in which an adversary compresses data that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib. |
| EST000178 | Data Encrypted | A Cyber Embedded Technique in which an adversary encrypts data before being exfiltrated to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol. |
| EST000179 | Data Transfer Size Limits | A Cyber Embedded Technique in which an adversary exfiltrates data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. |
| EST000180 | Exfiltration Over Alternative Protocol | A Cyber Embedded Technique in which an adversary leverages various operating system utilities to exfiltrate data over an alternative protocol. Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage. |
| EST000181 | Exfiltration Over Command and Control Channel | A Cyber Embedded Technique in which an adversary exfiltrates data over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications. |
| EST000182 | Exfiltration Over Other Network Medium | A Cyber Embedded Technique in which an adversary exfiltrates data over different network medium than the C2 channel. The exfiltration may occur, over a Wi-Fi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| EST000183 | Exfiltration Over Physical Medium | An adversary may exfiltrate data via a physical medium or removable device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage (PCMCIA Card, SD Card, etc) and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. |
| EST000184 | Scheduled Transfer | A Cyber Embedded Technique in which an adversary exfiltrates data at certain times of the day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol. |
| EST000185 | Multi-Stage Exfiltration Channels | A Cyber Embedded Technique in which an adversary uses multiple channels in a similar manner to Exfiltration Over Other Network Medium in conjunction with a procedural TTP to mask exfiltration. For example, an adversary may exfil every other bit to obfuscate what is being exfiltrated or over different channels or exfiltration half the data on one channel and then switch mid exfiltration to make it appear to have stopped. |
| EST000186 | Exfiltration Fallback Channels | A Cyber Embedded Technique in which an adversary uses multiple channels in a similar manner to Exfiltration Over Other Network Medium in conjunction with a procedural TTP as a fallback channel. This would likely occur in the event the primary channel fails. |
| EST000187 | Exfiltration via Maintenance Channels | A Cyber Embedded Technique in which an adversary exfiltrates sensitive data from a Line Replaceable Unit (LRU) by exploiting legitimate maintenance interfaces or functionalities. This may involve leveraging undocumented commands, debug ports, diagnostic routines, or update mechanisms intended for system maintenance or troubleshooting. The adversary uses these channels to extract data specific to the compromised LRU or data that the LRU processes from other systems. This technique can be used to bypass security controls, exfiltrate sensitive information, or gain unauthorized access to connected systems. The adversary may exploit vulnerabilities in the implementation of these maintenance channels or abuse intended functionalities for malicious purposes. Previously named: Debug Maintenance Channels |