Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This diagnostic statement protects against Exfiltration Over Web Service through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1567 | Exfiltration Over Web Service | |
| attribute.confidentiality.data_disclosure | None | related-to | T1567 | Exfiltration Over Web Service |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
This control provides minimal coverage to both of this technique's sub-techniques as well as some of its procedure examples, resulting in an overall score of Minimal.
The Microsoft Sentinel Analytics "Malformed user agent" query can detect potential exfiltration over a web service by malicious code with a hard-coded user agent string, or possibly data encoded via the user agent string.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.
References
|
| cloud_ids | Cloud IDS | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell).
Although there are ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| security_command_center | Security Command Center | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved outside of an organization or attempts to access protected resources. This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.
References
|
| vpc_service_controls | VPC Service Controls | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
This control is able to mitigate against exfiltration of data over a web service. Data contained within a VPC network perimeter can not be moved to a Google cloud resource or service outside of the perimeter but may be moved to third party services or storage.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1567 | Exfiltration Over Web Service |
Comments
The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.
Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1567.004 | Exfiltration Over Webhook | 10 |
| T1567.001 | Exfiltration to Code Repository | 7 |
| T1567.003 | Exfiltration to Text Storage Sites | 9 |
| T1567.002 | Exfiltration to Cloud Storage | 11 |