1. Home
  2. ATT&CK Techniques
  3. T1567 Exfiltration Over Web Service

T1567 Exfiltration Over Web Service Mappings

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_ids Cloud IDS technique_scores T1567 Exfiltration Over Web Service
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell). Although there are ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
  1. https://cloud.google.com/intrusion-detection-system
  2. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures
beyondcorp_enterprise BeyondCorp Enterprise technique_scores T1567 Exfiltration Over Web Service
Comments
This control can help mitigate adversaries that may try to steal data over web services. A threat actor gaining access to a corporate network can plant code to perform reconnaissance, discover privileged users’ credentials, and adversaries can use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. This can cause exfiltration to a command-and-control server out on the internet. Data loss prevention can be used to detect and block sensitive data being uploaded to web services via web browsers.
References
  1. https://cloud.google.com/beyondcorp-enterprise/docs/overview
security_command_center Security Command Center technique_scores T1567 Exfiltration Over Web Service
Comments
SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved outside of an organization or attempts to access protected resources. This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.
References
  1. https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview
  2. https://github.com/GoogleCloudPlatform/security-analytics
vpc_service_controls VPC Service Controls technique_scores T1567 Exfiltration Over Web Service
Comments
This control is able to mitigate against exfiltration of data over a web service. Data contained within a VPC network perimeter can not be moved to a Google cloud resource or service outside of the perimeter but may be moved to third party services or storage.
References
  1. https://cloud.google.com/vpc-service-controls/docs/overview

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1567.002 Exfiltration to Cloud Storage 4