T1567 Exfiltration Over Web Service Mappings

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-20 Use of External Systems Protects T1567 Exfiltration Over Web Service
AC-4 Information Flow Enforcement Protects T1567 Exfiltration Over Web Service
SC-7 Boundary Protection Protects T1567 Exfiltration Over Web Service
action.malware.variety.Export data Export data to another site or system related-to T1567 Exfiltration Over Web Service
amazon_guardduty Amazon GuardDuty technique_scores T1567 Exfiltration Over Web Service

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1567.002 Exfiltration to Cloud Storage 5
T1567.001 Exfiltration to Code Repository 5