T1567 Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1567 Exfiltration Over Web Service
Comments
This diagnostic statement protects against Exfiltration Over Web Service through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    PR.DS-10.01 Data-in-use protection Mitigates T1567 Exfiltration Over Web Service
    Comments
    This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
    References
      PR.PS-01.09 Virtualized end point protection Mitigates T1567 Exfiltration Over Web Service
      Comments
      The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
      References
        PR.IR-04.01 Utilization monitoring Mitigates T1567 Exfiltration Over Web Service
        Comments
        This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CA-07 Continuous Monitoring mitigates T1567 Exfiltration Over Web Service
          AC-23 Data Mining Protection mitigates T1567 Exfiltration Over Web Service
          CA-03 Information Exchange mitigates T1567 Exfiltration Over Web Service
          SA-09 External System Services mitigates T1567 Exfiltration Over Web Service
          SC-31 Covert Channel Analysis mitigates T1567 Exfiltration Over Web Service
          SR-04 Provenance mitigates T1567 Exfiltration Over Web Service
          SC-28 Protection of Information at Rest mitigates T1567 Exfiltration Over Web Service
          SI-03 Malicious Code Protection mitigates T1567 Exfiltration Over Web Service
          AC-16 Security and Privacy Attributes mitigates T1567 Exfiltration Over Web Service
          AC-20 Use of External Systems mitigates T1567 Exfiltration Over Web Service
          SA-08 Security and Privacy Engineering Principles mitigates T1567 Exfiltration Over Web Service
          SI-04 System Monitoring mitigates T1567 Exfiltration Over Web Service
          AC-02 Account Management mitigates T1567 Exfiltration Over Web Service
          AC-03 Access Enforcement mitigates T1567 Exfiltration Over Web Service
          AC-04 Information Flow Enforcement mitigates T1567 Exfiltration Over Web Service
          AC-06 Least Privilege mitigates T1567 Exfiltration Over Web Service
          SC-07 Boundary Protection mitigates T1567 Exfiltration Over Web Service

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Export data Export data to another site or system related-to T1567 Exfiltration Over Web Service
          attribute.confidentiality.data_disclosure None related-to T1567 Exfiltration Over Web Service

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          microsoft_sentinel Microsoft Sentinel technique_scores T1567 Exfiltration Over Web Service
          Comments
          This control provides minimal coverage to both of this technique's sub-techniques as well as some of its procedure examples, resulting in an overall score of Minimal. The Microsoft Sentinel Analytics "Malformed user agent" query can detect potential exfiltration over a web service by malicious code with a hard-coded user agent string, or possibly data encoded via the user agent string.
          References

          GCP Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          chrome_enterprise_premium Chrome Enterprise Premium technique_scores T1567 Exfiltration Over Web Service
          Comments
          Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.
          References
          cloud_ids Cloud IDS technique_scores T1567 Exfiltration Over Web Service
          Comments
          Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell). Although there are ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
          References
          security_command_center Security Command Center technique_scores T1567 Exfiltration Over Web Service
          Comments
          SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved outside of an organization or attempts to access protected resources. This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.
          References
          vpc_service_controls VPC Service Controls technique_scores T1567 Exfiltration Over Web Service
          Comments
          This control is able to mitigate against exfiltration of data over a web service. Data contained within a VPC network perimeter can not be moved to a Google cloud resource or service outside of the perimeter but may be moved to third party services or storage.
          References

          AWS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          amazon_guardduty Amazon GuardDuty technique_scores T1567 Exfiltration Over Web Service
          Comments
          The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
          References

          M365 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1567 Exfiltration Over Web Service
          DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1567 Exfiltration Over Web Service
          Comments
          This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
          References
          DEF-SSCO-E3 Secure Score Technique Scores T1567 Exfiltration Over Web Service
          Comments
          Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)
          References
          DEF-AIR-E5 Automated Investigation and Response Technique Scores T1567 Exfiltration Over Web Service
          Comments
          Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses.
          References
          DEF-ATH-E5 Advanced Threat Hunting Technique Scores T1567 Exfiltration Over Web Service
          Comments
          Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch. Advanced Threat Hunting Detects Exfiltration Over Web Service attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for newly constructed network connections. License Requirements: Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
          References
          PUR-INPR-E5 Information Protection Technique Scores T1567 Exfiltration Over Web Service
          Comments
          Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. Information Protection Protects from Exfiltration Over Web Service attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2
          References

          ATT&CK Subtechniques

          Technique ID Technique Name Number of Mappings
          T1567.004 Exfiltration Over Webhook 13
          T1567.001 Exfiltration to Code Repository 9
          T1567.003 Exfiltration to Text Storage Sites 9
          T1567.002 Exfiltration to Cloud Storage 14