TRAINING 6 – In & Out: Network Data Exfiltration Techniques


CAPACITY: 20 pax


USD2299 (early bird)

USD3299 (normal)

Early bird registration rate ends on the 30th of September


The In&Out Network Exfiltration Techniques training class has been designed to present students the modern and emerging tools and techniques available for network data exfiltration, testing and bypassing DLP/IDS/IPS/FW systems, protocol tunneling, hiding, pivoting and generating malicious network events. Highly technical content and only a hands-on practical approach guarantees that the usage of this transferred knowledge & technologies in real production environments will be easy, smooth and repeatable.

As for the introduction we will cover the latest APT-style campaigns using malware samples, analyze the top C2 network communication techniques seeing in the wild and map the findings directly to ATT&CK Framework, kill chain methodology and defense in depth strategy. We will also go slightly(with live examples OFC!) through the importance of network baselining, memory forensics, automated malware analysis systems and finally the real threat simulation tactics which are the key important aspects of this training.

Next, we will deep dive into the individual network protocols, services and techniques commonly in use by adversaries in corporate networks and discuss the characteristic security detection features. Using available set of tools (more than 50 different tools and frameworks – check the Keywords section list below), the student will play one by one with well prepared exfiltration, pivoting and tunneling use-cases to generate the true network symptoms of modern attacker behavior.

Who Should Attend

●  Red and Blue team members

●  Security / Data Analytics

●  CIRT / Incident Response Specialists

●  Network Security Engineers

●  SOC members and SIEM Engineers

●  AI / Machine Learning Developers

●  Chief Security Officers and IT Security Directors

Key Learning Objectives

  • run a different types of TCP/UDP reverse and bind shells across Windows and Linux systems, pivot to the next subnets, configure a port forwarding & proxying and what are the network traffic artifacts of such actions

●  manually generate a single malicious packets, ex. to saturate a DHCP server using Python, flood the network service from C code or start a BF by using hydra or medusa

●  generate your own malicious payloads and raw TCP/UDP custom encrypted traffic channels undetectable by security products

●  simulate DNS DGA traffic, run a DNS TXT tunnels and remote shells, exfiltrate data using DNS MX and how to gain the Internet connection on the plane or in the hotel for free!

●  clone, armor and phish popular websites

●  achieve a big file ICMP packet dripping covert channel and monitor ICMP traffic

●  use a different HTTP headers and methods for stealing the data also with

combination of web application injection techniques and walk through the world of


●  detect and understand a TLS/SSL-based anomalies and exfiltration techniques

●  run a Powershell scripts in post-exploitation stage for leaking the data and bypass


●  cheat a security platforms by running internal WMI, Websockets, VOIP or P2P covert


●  hide a stolen data in binary file, WAV file, Image file or exfiltrate data from air-gapped

system using hops

●  configure the station to connect to anonymizers like external VPN, TOR, Open proxy

and ‘ping’ to the IP/domains tagged on the globally recognized security feeds, rules

or phishy lists

●  use a popular cloud-based services for C2 communication and data stealing, ex.

Pastebin, Twitter and many more

●  replay a malicious PCAP files and in terms of network behaviour and analyze the

malware samples using Cuckoo

●  the syntax of signature-based rules works, how Suricata or Bro IDS can help you

detect adversary tactics and what are the differences between this two IDS engines

●  and a combination of many, many more.

Through hands-on lab exfiltration, this training delivers you a bigger picture of what you really need to care about when thinking initially or improving lately your SOC environment or Red and Blue team skills, your SIEM deployments, your DLP/IDS/IPS installations or Machine-Learning and anomaly detection security solutions.

All the above training description is based on pure hands-on laboratory where student will run every single action or chained scenarios on his own in the dedicated virtual-lab network. This class will focus on x86/x64 architecture, IPv4/IPv6 networks and target Linux and Windows environments.

In terms of IDS/IPS/Data Leakage Protection and for better understanding the current status of your network security posture, the training experience will help you understand risks, identify network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior. Become confident that your network security really works!

Preequisite Knowledge

●  An intermediate level of command line syntax experience using Linux and Windows

●  Fundament knowledge of TCP/IP network protocols

●  Penetration testing experience performing enumeration, exploiting, and lateral

movement is beneficial, but not required

●  Basic programming skills is a plus, but not essential

Hardware / Software Requirements

●  At least 20GB of free disk space

●  At least 8GB of RAM

●  Students should have the latest Virtualbox installed on their machine

●  Full Admin access on your laptop


    1. 1. Introduction:

a. ATT&CK Framework API. b. Caldera.
c. MAEC.

  1. Kill chain & Defense in depth.
  2. The importance of:i. network traffic baseline profiling ii. memory forensicsiii. real threat simulations != penetration tests iv. log correlation
  1. Modern RAT’s implementation and popular APT&C2 malware communication design – real use cases:
    1. The review of the latest APT campaigns
    2. Multi-Staging
    3. Network Link chaining
    4. Hiding
    5. Data Obfuscation
    6. Transfer/protocol limits
    7. Timing channels / scheduled jobs / packet dripping
  2. TCP/UDP bind and reverse shells:

a. Meterpreter + Veil Framework:

  1. bypassing payloads
  2. common and exotic ports
  3. routing, pivoting & port forwarding
  1. CLI
    1. netcat/nc/telnet/socat/curl/wget/xxd/rsync
    2. /dev/tcp
    3. PTY
    4. PHP / Perl / Python / Ruby / Java / ASP shellz
  2. TCP/UDP raw socket tunnels
  3. Generate your own network shellcode & analyze the Exploit-db ShellcodeArchive

4. General bypassing, exfiltration, tunneling, pivoting and proxying techniques:

  1. ICMP
  2. DNS:
    1. Authoritative vs recursive
    2. CDN theory
    3. Fast-flux domains
    4. Dictionary and random characters DGA
    5. DNS proxy
    6. DNS anomalies
  3. HTTP/S & web application exploitation techniques combo:

tips & tricks:

  1. HTTP 404
  2. HTTP headers:1. Etag
    2. Cookies
    3. User-agent
    4. Accept
    5. If-None-match
  4. Website cloning and armoring
  5. Certificate exfiltration & TLS/SSL anomalies
  6. *Injections + exfiltration
  7. HTTP redirects
  8. Webshells
  9. HTTP anomalies
  1. Websockets
  2. WMI / PS-remote
  3. Proxy / Socks
  5. FTP / TFTP
  6. SMB / NFS
  7. RDP
  8. Anonymizers:
    1. VPN
    2. TOR
    3. Open Proxy
  9. POP3 / SMTP / IMAP
  10. VOIP
  11. P2P
  12. IRC
  13. IPv6
  14. + chaining of aboves and many more.

5. Cloud-based exfiltration and C2 channels:

  1. Twitter
  2. Pastebin
  3. Github
  4. Slack
  5. Youtube
  6. Gmail / Google Docs
  7. AWS / Google Cloud
  8. Skype
  9. Dropbox

j. Soundcloud k. Tumblr

  1. Windows & Powershell exfiltration tools.
  2. Just a Browser Exfiltration:

a. audio/video exfil b. keylogging

  1. Hoping from air-gapped networks.
  2. USB attacks and network exfiltration combo.
  3. The art of data hiding → steganography examples:
    1. Binary
    2. WAV
    3. Image
    4. VOIP
    5. Routing Protocol
    6. Screen
  4. Signature-based event analytics, rule bypassing & malicious network traffic generation:
    1. Suricata ET / VRT rules vs attacker → the syntax rules of the rules
    2. Bro IDS log “features” for deep low-level network baselining
    3. Threat Intelligence feeds, lists and 3rd party APIs:i. IP reputation lists ii. Malware feeds iii. Phishing feedsiv. C2 lists
      v. Open Proxy listsvi. Tor exit-nodes
      vii. Censys / VT / Passive Totalviii. Shodan
    4. Replaying and analysing malicious PCAP files.
  5. Adversary simulation moves, actions, tools & automated platforms:
    1. In&Out Simulated Network Exfiltration Platform
    2. APT simulator
    3. Dumpster Fire
    4. Firebolt
    5. Flightsim
    6. Armoring:
      1. Nmap NSE scripts
      2. MiTM/Spoofing/TCP flooding
      3. Port Knocking
  1. Brute force
  2. DHCP starvation
  3. Info disclosure on SMB/CIFS shares

13. Summary → recommended defensive/protection tactics, tools and platforms.


Location: Date: November 25, 2018 Time: 9:00 am - 6:00 pm Leszek Mis