Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1567 | Exfiltration Over Web Service |
Comments
Intel Threat Detection Technology (TDT), in combination with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity by enabling faster, real-time detection of Exfiltration Over Web Services (T1041). This integrated solution enhances CrowdStrike Falcon, improving the ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system impact.
Exfiltration Over Web Services involves adversaries using web-based protocols (such as HTTP, HTTPS, or APIs) to covertly send stolen data from an infected system to an external server or command-and-control infrastructure. These attacks often exploit legitimate web traffic to evade detection by traditional security mechanisms. Intel TDT plays a key role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow. This telemetry enables the rapid detection of abnormal behaviors, such as unusual API calls, HTTP traffic patterns, or data flows indicative of exfiltration.
References
|