After exploitation, what factors determine the choice of file transfer methods?

After you have a foothold, the feasible file transfer method is governed by what can actually be used from the compromised host. The first factor is the outbound channels the host can reach and that the network permits; if only web traffic is allowed or if FTP/SMB ports are blocked, that shapes which transfer methods are workable and stealthy. The second factor is what tools are installed on the host; having native utilities like curl, wget, certutil, PowerShell, or an SSH client opens different transfer options and paths that avoid introducing new software. The third factor is the exploit payload and how it runs on the target—what privileges you have, what memory or disk access is available, and whether the payload already includes a built‑in exfiltration capability or relies on a particular transfer channel. These together explain why a method using common outbound protocols, supported by available tools on the host, and aligned with the exploit’s capabilities is chosen. Merely having user credentials isn’t sufficient because the transfer path still needs an active channel and usable tooling. OS version alone doesn’t determine what is possible, since it doesn’t account for available tools or network restrictions. Bandwidth matters, but without the right channel and tools, high bandwidth won’t help.