Application Control Bypass for Data Exfiltration, (Tue, Mar 31st)

This report demonstrates a proof-of-concept technique to exfiltrate data through an allowed TCP port by splitting a file into ~3KB chunks and sending each over many short TCP connections, circumventing Palo Alto App-ID (and similar NGFW application classification) which requires several kilobytes of payload to reliably classify and block traffic; the author successfully reconstructed a file remotely and discusses detection limitations and potential flags (many small connections, IDS signatures, encryption).