Data Exfiltration via Agent

Exfiltration is the payoff stage, and agents excel at it because they combine read access to sensitive data with a rich set of outbound channels — email, HTTP upload, cloud storage, paste sites, repository push, websockets, even DNS. The trust boundary violated is the gap between data access and data egress: the agent is trusted to *read* business data to do its job and separately trusted to *make network requests*, but nothing enforces that data it read does not leave through a channel it can reach. Because legitimate agent work routinely involves both reading files and sending requests, an injected "upload X to Y" blends into normal behavior, and DLP that watches user actions may not inspect agent-initiated egress.

• Egress-filter all agent-initiated outbound traffic and compare destinations against an allowlist
• Link data provenance to egress: alert when content read from sensitive sources appears in an outbound request (read-then-send correlation)
• Monitor DNS query volume/entropy for tunneling and inspect HTTP headers for encoded payloads
• Apply DLP to agent outputs — uploads, mail bodies/attachments, repo pushes, and image content

Exfiltration is the terminal stage for most T11 chains: it is fed by T11-AT-008 (credentials/secrets), T11-AT-010 (data reached via lateral movement), and T11-AT-016 (local files / metadata read via SSRF), and it is the egress half of the T11-AP-002B read-then-send and T11-AP-002G kill-chains. It overlaps T9 (steganographic image exfil) and, when the channel is a public repo (T11-AP-011C), bleeds into T11-AT-013 supply-chain exposure.