Data Exfiltration Detection | Tryhackme Writeup

Room Link: https://tryhackme.com/room/dataexfildetection

Task 1: Introduction

Data exfiltration is the unauthorized transfer of sensitive data from a computer or other device. It's a primary objective for attackers who have breached a network. As a SOC analyst, our job is to detect and stop this before sensitive information walks out the door. This room will cover the common techniques attackers use to steal data and, more importantly, how we can catch them in the act.

Learning Objectives

Learn how data exfil on DNS,ICMP,DNS,FTP

For the practical lab, there are three ways to approach the practical:

• Explore the network traffic in the respective folder in the data_exfil directory on the Desktop.

• Perform Log Analysis on the log file in the same folder.

• Examine the logs already ingested into the Splunk instance. Make sure to select All times and use the index=data_exfil

Task 4 Detection: Data Exfil through DNS Tunneling

1. What is the suspicious domain receiving the DNS traffic?

Ans: tunnelcorp.net

• dns → only DNS traffic

• dns.flags.response == 0 → queries only (no responses)

• frame.len > 70 → filters small/normal lookups

• strlen(dns.qry.name) > 20 → long domain names (often suspicious)

2. How many suspicious traffic/logs related to dns tunneling were observed?

Ans: 315

(Count of DNS tunneling packets to the suspicious domain)

3. Which local IP sent the maximum number of suspicious requests?

Ans: 192.168.1.103

• Keep the above DNS filter of traffic going to suspicious domain

• Go to Statistics → Conversations

• These hosts(IP’s) are considered infected , which are sending data to this domain via DNS

• SPLUNK

Select index=data_exfil and set the time range to All Time, similar to choosing a PCAP file in Wireshark.

• In the query field, DNS tunneling traffic appears low because each request uses a unique subdomain, so Splunk cannot aggregate them automatically.

• To identify the tunneling domain, sort and count DNS queries, similar to sort | uniq -c in tcpdump:

    | stats count by query
    | sort -count
  

• Suspicious Domain found “ <data transferring>. tunnelcorp.net “

Once the domain is identified, filter on it to see how many internal IPs are interacting with the domain and the volume of requests per IP.

Or To see how many IPs are interacting with the domain, filter directly:

index=data_exfil sourcetype=dns_logs query="*.tunnelcorp.net"

and inspect the src_ip field without additional stats.

search by length: With length over 30

index="data_exfil" sourcetype="DNS_logs" | where len(query) > 30

Task 5 Detection: Data Exfil through FTP

1. How many connections were observed from the guest account?

Ans: 5

USER and PASS are requested commands, the credentials we enter are “arguments” so use ftp.request.arg == “username”

2. Apply the filter; what is the name of the customer-related file exfiltrated from the root account?

Ans: customer_data.xlsx

FTP Streams Observed: transferring 3 files from user root account

• Stream 87 → customer_data.xlsx

• Stream 97 →internal_passwords.csv

• Stream 88 → secret_document.txt

3. Which internal IP was found to be sending the largest payload to an external IP?

Ans: 192.168.1.105

• Sort FTP packets by length

• Follow FTP streams (select each packet - right click - Follow - TCP stream )

• Then identify the largest data transfer

4. What is the flag hidden inside the ftp stream transferring the CSV file to the suspicious IP?

Ans: THM{ftp_exfil_hidden_flag}

Task 6 Detection: Data Exfil via HTTP

1. Which internal compromised host was used to exfiltrate this sensitive data?

Ans: 192.168.1.103

2. What's the flag hidden inside the exfiltrated data?

Ans: THM{http_raw_3xf1ltr4t10n_succ3ss}

• Filtered HTTP POST requests and applied frame.len > 500, which showed multiple large outbound requests.

• Increasing the filter to frame.len > 750 narrowed it down to a single suspicious POST request.

• Used Follow → HTTP Stream to inspect the request and view the exfiltrated payload.

• Splunk:

Observed HTTP POST requests to api.cloudsync-services.com with higher bytes sent than normal traffic.

Filtered POST requests with bytes_sent > 600 and focused on key fields like src_ip, dest_ip, domain, URI path, and bytes sent.

Task 7 Detection: Data Exfiltration via ICMP

icmp #only ICMP traffic
icmp.type == 8  #Echo requests - ICMP
#Filters based on length
icmp.type == 8 && frame.len > 100
icmp && data.len > 64

1. What is the flag found in the exfiltrated data through ICMP?

Ans: THM{1cmp_3ch0_3xf1ltr4t10n_succ3ss}

Congratulations on completing the room. I hope you enjoyed this walkthrough.

Keep Hunting!