Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1567 | Exfiltration Over Web Service |
| AC-4 | Information Flow Enforcement | Protects | T1567 | Exfiltration Over Web Service |
| SC-7 | Boundary Protection | Protects | T1567 | Exfiltration Over Web Service |
| action.malware.variety.Export data | Export data to another site or system | related-to | T1567 | Exfiltration Over Web Service |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1567 | Exfiltration Over Web Service |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1567.002 | Exfiltration to Cloud Storage | 5 |
| T1567.001 | Exfiltration to Code Repository | 5 |