1. Home
  2. ATT&CK Techniques
  3. T1567 Exfiltration Over Web Service

T1567 Exfiltration Over Web Service Mappings

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-20 Use of External Systems Protects T1567 Exfiltration Over Web Service
AC-4 Information Flow Enforcement Protects T1567 Exfiltration Over Web Service
SC-7 Boundary Protection Protects T1567 Exfiltration Over Web Service
azure_sentinel Azure Sentinel technique_scores T1567 Exfiltration Over Web Service
Comments
This control provides minimal coverage to both of this technique's sub-techniques as well as some of its procedure examples, resulting in an overall score of Minimal. The Azure Sentinel Analytics "Malformed user agent" query can detect potential exfiltration over a web service by malicious code with a hard-coded user agent string, or possibly data encoded via the user agent string.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
cloud_app_security_policies Cloud App Security Policies technique_scores T1567 Exfiltration Over Web Service
Comments
This control can limit user methods to send data over web services.
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies Cloud App Security Policies technique_scores T1567 Exfiltration Over Web Service
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1567.002 Exfiltration to Cloud Storage 6
T1567.001 Exfiltration to Code Repository 6