The adversary is trying to steal data.
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
| ID | Name | Description | |
| T2073 | Exfiltration Over Alternative Protocol | Adversaries may exfiltrate data over alternative protocols to avoid detection and bypass security controls. This technique involves using non-standard or less-monitored communication channels, such as DNS, ICMP, or even custom protocols, to exfiltrate sensitive information from compromised vehicle systems. | |
| T2078 | Exfiltration Over Bluetooth | Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. Bluetooth can be an attractive choice for exfiltration when adversaries are in close proximity to the target vehicle and the Bluetooth connection offers a lower level of security compared to the primary Internet-connected channel. | |
| T2074 | Exfiltration Over C2 Channel | Adversaries may exfiltrate data over command and control (C2) channels in order to steal sensitive information from vehicle systems. They can use compromised data-transfer channels to manipulate traffic and inject their own content, allowing them to continuously communicate with victim systems and deliver additional payloads. | |
| T2076 | Exfiltration Over Cellular Network | Adversaries may attempt to exfiltrate data over a cellular network. This technique allows them to transfer sensitive data from the vehicle to an external location using the cellular network. | |
| T2075 | Exfiltration Over Other Network Medium | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. | |
| T2079 | Exfiltration Over Physical Medium | Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive or ODB-II. In certain circumstances, such as an offline network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. | |
| T2077 | Exfiltration Over Short Range Wireless | Adversaries may attempt to exfiltrate data over WiFi connection or another radio frequency (RF) channel. This technique allows adversaries to wirelessly transmit stolen data from a compromised vehicle to a nearby receiver without the need for physical access. | |