Exfiltration via Screen Sharing

The subject transmits live on-screen content to an unauthorized third party using screen sharing, livestreaming, or remote presentation tools. This method of exfiltration enables real-time viewing of sensitive data, systems, or processes without leaving traditional file transfer artifacts. It is often used to bypass content filtering, download restrictions, or endpoint data loss prevention controls.

Exfiltration via screen sharing may be conducted using legitimate collaboration platforms (e.g., Zoom, Microsoft Teams, Google Meet, Discord) or dedicated remote control tools (e.g., TeamViewer, AnyDesk, Parsec), particularly when configured for unattended sessions. Some subjects utilise streaming platforms (e.g., YouTube Live, Twitch) in unlisted or private modes to discreetly transmit content to an external audience.

This technique enables the subject to expose proprietary information, such as internal dashboards, code repositories, chat transcripts, or system configurations, without transferring files or modifying access logs. It is particularly effective in highly restricted environments where data cannot be copied, downloaded, or printed.

Depending on the tool and configuration used, these sessions may be difficult to detect in real-time, especially if screen sharing is permitted within the organization’s broader productivity context.