Detection DataExfil

Data Exfil through DNS Tunneling

DNS exfiltration abuses the Domain Name System, a protocol normally allowed through networks, to smuggle bytes encoded inside DNS queries/responses so firewalls and web proxies don't notice. Because DNS is typically allowed and often unfiltered or forwarded to public resolvers, it's attractive for covert channels.

DNS Tunneling
- DNS (Domain Name System) translates human-friendly domain names (e.g., example.com) into IP addresses and provides other record types (A, AAAA, TXT, MX, CNAME, etc.)
  - DNS queries are ubiquitous: almost every host performs DNS lookups.
  - DNS is normally allowed through firewalls and gateways, making it an attractive covert channel.
  - DNS uses UDP (mostly) on port 53 for queries and responses; TCP is used for zone transfers or large responses.
Indicators of attack
- Many DNS queries are sent to a single external domain, especially with very high counts compared to the baseline.
- Long subdomain labels or unusually long full query names (> 60–100 characters).
- High entropy or Base32/Base64-like patterns in the query name (lots of mixed case letters, digits, -, = signs for base64).
- Rare record types (TXT, NULL) or many large TXT responses.
- Unusual response behavior: frequent NXDOMAIN (if attacker uses exfil-by-query without answering), or TCP/large UDP fragments for DNS.
- Queries at regular intervals (beaconing behaviour).
Detecting through Wireshark
- dns Let's start by applying filter on dns traffic
- dns.flags.response == 0 Let's filter on the DNS queries with no response
- dns && frame.len > 70 Find long queries (suspicious subdomain lengths)
- dns && dns.qry.name contains Let's filter on the suspicious domain
  - Multiple internal hosts are compromised.
  - All these hosts are sending the data in chunks using DNS tunneling techniques.
  - There is only one external domain identified as the one receiving the DNS queries.

Data Exfil through FTP

FTP (File Transfer Protocol) is one of the oldest protocols for transferring files between a client and server over a TCP/IP network. Attackers use it to move large amounts of data off a network, sometimes via compromised credentials, misconfigured servers, or ephemeral accounts. Detection relies on a mix of packet inspection (FTP only), server logs, SSH session metadata, and network flow/size/pattern analysis.

How adversaries use FTP for exfiltration
- Use legitimate FTP servers (public or misconfigured internal servers) to stage/transfer data.
- Use compromised credentials (service accounts, user creds).
- Use non-standard ports or tunneling to blend with other traffic.
Indicators of attack
- USER and PASS commands (cleartext credentials).
- STOR (upload) and RETR (download) commands: repeated or large transfers.
- Large data connections to unusual external IPs, especially outside business hours.
- Data channel openings on ephemeral ports (PASV) paired with large payloads.
Detecting through Wireshark
- ftp || ftp-data - Isolate FTP control & data
- ftp.request.command == "USER" || ftp.request.command == "PASS" - Let's filter to show only login attempts with USER/PASS
- ftp contains "STOR" - Look for Anomalies in Filenames or Credentials, Right-click a packet → Follow → TCP Stream
- ftp contains "csv" - We can look at suspicious files by filtering on the file extensions like PDF, csv, TXT etc
- ftp && frame.len > 90 - Identifying the traffic with a large payload size and check out the content in TCP Stream

Data Exfil via HTTP

Data exfiltration via HTTP is when an attacker moves sensitive data out of a target network using HTTP as the transport. HTTP is commonly abused because it blends with normal web traffic, can traverse firewalls and proxies, and can be obfuscated (encoding, encryption, tunneling).

How adversaries use HTTP for data exfiltration
- POST uploads to external servers: Bulk data is sent to attacker-controlled hosts or cloud storage in POST request bodies.
- GET requests with encoded data: Attacker squeezes small chunks into query strings or path segments (useful for low-and-slow exfiltration).
- Use of common services / CDN: Exfiltration disguised as uploads to popular services or attacker-controlled subdomains under reputable domains.
- Custom headers: Data placed in headers (e.g., X-Data: ) may bypass some string-based DLP.
- Chunked transfer / multipart: Large payloads split into multiple requests to avoid size thresholds.
- HTTPS/TLS tunneling: The encrypted channel hides the payload; detection requires TLS inspection, SNI analysis, or metadata-based detection.
- Staging via cloud services: The attacker uploads to Dropbox/GitHub/Gist and then fetches externally.
Indicators of Attack (IoAs)
- Unusually large HTTP POST requests to external/unexpected hosts.
- HTTP requests to domains with low reputation / rarely seen in baseline traffic.
- Frequent small requests (beaconing) to the same host, followed by large uploads.
- Chunked or multipart transfers where multiple requests compose a larger file.
Network Traffic Analysis
- http - Apply a filter on the HTTP traffic
- http.request.method == "POST" - We can see HTTP traffic with both GET and POST requests
- http.request.method == "POST" and frame.len > 500 - Filter on the traffic with the frame length of more than 500 or 750
- Let's go to the HTTP stream to see the file's content

Data Exfiltration via ICMP

ICMP is a network-layer protocol used for diagnostics and control (e.g., ping, TTL exceeded). Because it is commonly allowed through firewalls and typically inspected less strictly than TCP/UDP, attackers sometimes abuse ICMP to tunnel and exfiltrate data. Malicious actors encode data into ICMP payloads (echo request/reply, timestamp, info) and send it to a remote listener under their control.

How adversaries use ICMP for exfiltration
- Common techniques:
  - ICMP echo (type 8) / reply (type 0) tunneling: attackers place encoded (base64, hex) chunks of files inside ICMP payloads. The remote server collects and decodes them.
  - Custom ICMP types/codes: using uncommon ICMP types or non-zero codes to avoid signature-based detections.
  - Fragmentation and reassembly: large payloads are split across multiple packets.
  - Encryption/obfuscation: Encrypting or encrypting payloads (base64 is common) to look like random data.
- Indicators that something may be malicious:
  - Persistent ICMP sessions to an external host not used for legitimate monitoring.
  - Unusually large ICMP payloads or frequent ICMP with payload > typical ping size.
  - ICMP payloads that contain high-entropy data or patterns consistent with base64/hex.
  - Bursts of ICMP are immediately followed by no other legitimate application traffic from the same host.
Indicators of attack in Wireshark
- ICMP packet volumes: a single host sending many ICMP echo requests to an external IP.
- Large frame.len or icmp.payload: pings with payloads much larger than typical (e.g., > 64 bytes).
- ICMP type/code unusual values: e.g., unusual use of timestamp(13/14) or custom codes.
- Regular timing (periodicity): evenly spaced ICMP packets carrying similar-sized payloads.
- Fragments with reassembly: multiple ICMP fragments from the same src/dst pair.
Wireshark
- icmp - The filter below isolates all ICMP packets
- icmp.type == 8 - Let's apply the filter to isolate ICMP Echo Request packets
- icmp.type == 8 and frame.len > 100 - Let's now apply the filter on the ICMP requests and focus on the frame length over 100, Flags packets with unusually large payloads. Normal pings are ~74 bytes total. Anything over 100 is suspicious.
- ICMP is simple, and any anomaly can be detected easily by examining the frame size and investigating the larger payload size than usual.