{"id":1386,"date":"2026-01-07T03:09:28","date_gmt":"2026-01-07T03:09:28","guid":{"rendered":"https:\/\/zombierollz.blog\/?p=1386"},"modified":"2026-01-07T03:09:28","modified_gmt":"2026-01-07T03:09:28","slug":"data-exfiltration-detection","status":"publish","type":"post","link":"https:\/\/zombierollz.blog\/?p=1386","title":{"rendered":"Data Exfiltration Detection"},"content":{"rendered":"\n

https:\/\/tryhackme.com\/room\/dataexfildetection
Created by: tryhackme, Dex01<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

There are two software we will be using in this lab: Wireshark and Splunk. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In Task 3, THM goes over Data exfiltration and various threat actors and their data exfiltration methods. Pet THM, “Data exfiltration is the unauthorized transfer of data from an organization to an external destination controlled by an adversary. It can be deliberate (insider) or via malware \/ compromised credentials.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Going into task 4, THM has us go into Wireshark to investigate the dns pcap file.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the suspicious domain receiving the DNS traffic?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“How many suspicious traffic\/logs related to dns tunneling were observed?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“Which local IP sent the maximum number of suspicious requests?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the next task, we focus on ftp traffic and go back to Wireshark to analyze it.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“How many connections were observed from the guest account?” 5<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“Apply the filter; what is the name of the customer-related file exfiltrated from the root account?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“Which internal IP was found to be sending the largest payload to an external IP?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the flag hidden inside the ftp stream transferring the CSV file to the suspicious IP?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Task 6 focuses on HTTP!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“Which internal compromised host was used to exfiltrate this sensitive data?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What’s the flag hidden inside the exfiltrated data?”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

For our last task, we are focusing on ICMP!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What is the flag found in the exfiltrated data through ICMP?”

THM assists us with finding this flag. It’s still kind of hard to read, so what I did was copy the contents as base64, then used CyberChef to assist with getting it to read better.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

https:\/\/tryhackme.com\/room\/dataexfildetectionCreated by: tryhackme, Dex01 There are two software we will be using in this lab: Wireshark and Splunk. In Task 3, THM goes over Data exfiltration and various threat actors and their data exfiltration methods. Pet THM, “Data exfiltration is the unauthorized transfer of data from an organization to an external destination controlled by an […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1386","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/1386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1386"}],"version-history":[{"count":4,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/1386\/revisions"}],"predecessor-version":[{"id":1414,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/1386\/revisions\/1414"}],"wp:attachment":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}