Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1567 | Exfiltration Over Web Service | |
| attribute.confidentiality.data_disclosure | None | related-to | T1567 | Exfiltration Over Web Service | |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.
Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1567.004 | Exfiltration Over Webhook | 3 |
| T1567.001 | Exfiltration to Code Repository | 3 |
| T1567.003 | Exfiltration to Text Storage Sites | 3 |
| T1567.002 | Exfiltration to Cloud Storage | 3 |