After a successful asset discovery adversaries try to exfiltrate data from the compromised network. In many cases the initial C&C is used as the drop-off point. However, other systems and technologies might be involved . The actual approach of the exfiltration depends on APT group’s tactics, data amount and other circumstances.
When the amount of data is not big, attackers are less restricted with the choices of data transfer and usually can exfiltrate collected information in one round. For this purpose, any of the most common techniques can be used including HTTP, mail, ftp, etc. In cases of huge data transfers, adversaries attempt to distribute the data exfiltration technique in order to not rise red flags. Moreover, depending on egress filtering and other circumstances attackers might limit themselves to a certain protocol which allows to blend in and remain stealthy.
Depending on the APT’s tactics and the goal of the current campaign, the successful data exfiltration marks the end of the attack. However, sometimes the threat actors might put additional effort into covering their tracks or deploying additional persistence mechanisms in case a return is pre-planned for the future.