The Mitre Att&ck Framework has defined nine techniques in the Exfiltration category.
The Automated Exfiltration technique is when the malware that the threat actor used to compromise the target is programmed to automatically upload data to whatever server it is programmed to do so. Typically when this technique gets employed, then there will be additional techniques that will then get used as well.
Data Transfer Size Limits are when the threat actor only goes after files of a specific size. Alternatively, the threat actor may split files into smaller sizes. This technique is used by a threat actor to get around scanners or avoid detection.
Exfiltration Over Alternative Protocol is when a threat actor utilizes an alternative protocol to exfiltrate data. Exfiltration using DNS tunnels would be an example of this.
Exfiltration Over C2 Channel is when a threat actor uses the functionality of their command and control system to facilitate the exfiltration of data.
Exfiltration Over Other Network Mediums is when a threat actor exfiltrates data over a different medium than the medium used by the target device in the initial compromise. Using Bluetooth or wifi would be two examples of this.
Exfiltration Over Other Physical Mediums is when a threat actor exfiltrates data onto an external drive to leave the premises of the building hosting the target system.
Exfiltration Over Web Service is when a threat actor utilizes a web service to exfiltrate and store the data.
Scheduled Transfer is when a threat actor sets up a scheduled task via malware or built-in task schedulers to utilize a secondary technique that executes the exfiltration.
Transfer Data to Cloud Account is when a threat actor exfiltrates data to a cloud account such as Amazon S3. If a threat actor uses the same cloud service the target organization uses, it could become more difficult for the malicious activity to be spotted.