Dont have time right now to post up anything detailed, maybe later, but long story short: if theres communication, you can make an exfil out of it.
Pretty much the goal of covert exfil boils down to two things: 1. Actually get the data 2. Don't have the traffic logged/flagged. Number 1 is obviously the most important(duh), cause even if they notice ifyou got what you came for who gives a fuuuuck. So depending on the target, start with what outbound traffic is allowed(some network monitoring is in order here less you can figure out the firewall rules which may be more noisy than the exfil depending on your level of access in the network). Prioritize encrypted traffic like SSL or SSH as they are more likely to not get flagged and most security systems don't bother with that type of traffic since they can't inspect the content. Even if their network is setup to inspect the content, use your own keys/certs and your solid. Lots of pentesting companies get their hard on over DNS exfil because no one logs it(not to say they can't or that some shops dont) but that runs its own gambit of risks(setting up your own DNS server, purchasing domain name, DNS packets unusually large and frequent in order to send any real amount of data).
If you can find some obscure protocol thats going outbound, thatd be your best bet to setup a custom exfil, pretty much guranteeing no one is flagging it cause they dont want to break whatever esoteric magic they got running behind the scenes.
