Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1567 | Exfiltration Over Web Service |
| beyondcorp_enterprise | BeyondCorp Enterprise | technique_scores | T1567 | Exfiltration Over Web Service |
| security_command_center | Security Command Center | technique_scores | T1567 | Exfiltration Over Web Service |
| vpc_service_controls | VPC Service Controls | technique_scores | T1567 | Exfiltration Over Web Service |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1567.002 | Exfiltration to Cloud Storage | 4 |