Infringement
Disruption of Business Operations
Excessive Personal Use
Exfiltration via Email
Exfiltration via Media Capture
Exfiltration via Messaging Applications
Exfiltration via Other Network Medium
Exfiltration via Physical Medium
- Exfiltration via Bring Your Own Device (BYOD)
- Exfiltration via Disk Media
- Exfiltration via Floppy Disk
- Exfiltration via New Internal Drive
- Exfiltration via Physical Access to System Drive
- Exfiltration via Physical Documents
- Exfiltration via Target Disk Mode
- Exfiltration via USB Mass Storage Device
- Exfiltration via USB to Mobile Device
- Exfiltration via USB to USB Data Transfer
Exfiltration via Web Service
Harassment and Discrimination
Inappropriate Web Browsing
Installing Unapproved Software
Misappropriation of Funds
Non-Corporate Device
Providing Access to a Unauthorized Third Party
Public Statements Resulting in Brand Damage
Sharing on AI Chatbot Platforms
Theft
Unauthorized Changes to IT Systems
Unauthorized Printing of Documents
Unauthorized VPN Client
Unlawfully Accessing Copyrighted Material
- ID: IF004.006
- Created: 17th April 2025
- Updated: 17th April 2025
- Platforms: MacOS, Linux, Windows,
- Contributor: Lawrence Rake
Exfiltration via Python Listening Service
A subject may employ a Python-based listening service to exfiltrate organizational data, typically as part of a self-initiated or premeditated breach. Python’s accessibility and versatility make it a powerful tool for creating custom scripts capable of transmitting sensitive data to external or unauthorized internal systems.
In this infringement method, the subject configures a Python script—often hosted externally or on a covert internal system—to listen for incoming connections. A complementary script, running within the organization’s network (such as on a corporate laptop), transmits sensitive files or data streams to the listening service using common protocols such as HTTP or TCP, or via more covert channels including DNS tunneling, ICMP, or steganographic methods. Publicly available tools such as PyExfil can facilitate these operations, offering modular capabilities for exfiltrating data across multiple vectors.
Examples of Use:
- A user sets up a lightweight Python HTTP listener on a personal VPS and writes a Python script to send confidential client records over HTTPS.
- A developer leverages a custom Python socket script to transfer log data to a system outside the organization's network, circumventing monitoring tools.
- An insider adapts an open-source exfiltration framework like PyExfil to send data out via DNS queries to a registered domain.
Detection Considerations:
- Monitor for local Python processes opening network sockets or binding to uncommon ports.
- Generate alerts on outbound connections to unfamiliar IP addresses or those exhibiting anomalous traffic patterns.
- Utilize endpoint detection and response (EDR) solutions to flag scripting activity involving file access and external communications.
- Inspect Unified Logs, network flow data, and system audit trails for signs of unauthorized data movement or execution of custom scripts.
Prevention
| ID | Name | Description |
|---|---|---|
| PV015 | Application Whitelisting | By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves. |
| PV018 | Network Intrusion Prevention Systems | Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection. |
| PV032 | Next-Generation Firewalls | Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.
A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address. |
Detection
| ID | Name | Description |
|---|---|---|
| DT046 | Agent Capable of Endpoint Detection and Response | An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.
Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.
An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate). |
| DT045 | Agent Capable of User Activity Monitoring | An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.
The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).
Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.
Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms. |
| DT047 | Agent Capable of User Behaviour Analytics | An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.
The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.
A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.
Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms. |
| DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |