Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1567 | Exfiltration Over Web Service |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1567.004 | Exfiltration Over Webhook | 1 |
| T1567.001 | Exfiltration to Code Repository | 1 |
| T1567.003 | Exfiltration to Text Storage Sites | 1 |
| T1567.002 | Exfiltration to Cloud Storage | 1 |