T1567 Exfiltration Over Web Service Mappings

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1567 Exfiltration Over Web Service
AC-2 Account Management Protects T1567 Exfiltration Over Web Service
AC-20 Use of External Systems Protects T1567 Exfiltration Over Web Service
AC-23 Data Mining Protection Protects T1567 Exfiltration Over Web Service
AC-3 Access Enforcement Protects T1567 Exfiltration Over Web Service
AC-4 Information Flow Enforcement Protects T1567 Exfiltration Over Web Service
AC-6 Least Privilege Protects T1567 Exfiltration Over Web Service
CA-3 Information Exchange Protects T1567 Exfiltration Over Web Service
CA-7 Continuous Monitoring Protects T1567 Exfiltration Over Web Service
SA-8 Security and Privacy Engineering Principles Protects T1567 Exfiltration Over Web Service
SA-9 External System Services Protects T1567 Exfiltration Over Web Service
SC-28 Protection of Information at Rest Protects T1567 Exfiltration Over Web Service
SC-31 Covert Channel Analysis Protects T1567 Exfiltration Over Web Service
SC-7 Boundary Protection Protects T1567 Exfiltration Over Web Service
SI-3 Malicious Code Protection Protects T1567 Exfiltration Over Web Service
SI-4 System Monitoring Protects T1567 Exfiltration Over Web Service
SR-4 Provenance Protects T1567 Exfiltration Over Web Service

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1567.002 Exfiltration to Cloud Storage 3
T1567.001 Exfiltration to Code Repository 3