1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Web Service

Exfiltration Over Web Service

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage
T1567.003 Exfiltration to Text Storage Sites
T1567.004 Exfiltration Over Webhook

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

ID: T1567
Sub-techniques:  T1567.001, T1567.002, T1567.003, T1567.004
Tactic: Exfiltration
Platforms: ESXi, Linux, Office Suite, SaaS, Windows, macOS
Contributors: William Cain
Version: 1.5
Created: 09 March 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0622 AppleSeed

AppleSeed has exfiltrated files using web services.[1]
G0007 APT28

APT28 can exfiltrate data over Google Drive.[2]

C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 exfiltrated data over public-facing webservers – such as Google Drive.[3]
G1043 BlackByte

BlackByte has used services such as anonymfiles.com and file.io to exfiltrate victim data.[4]
C0017 C0017

During C0017, APT41 used Cloudflare services for data exfiltration.[5]
S0547 DropBook

DropBook has used legitimate web services to exfiltrate data.[6]
S1179 Exbyte

Exbyte exfiltrates collected data to online file hosting sites such as Mega.co.nz.[7][8]
G0059 Magic Hound

Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.[9]
S0508 ngrok

ngrok has been used by threat actors to configure servers for data exfiltration.[10]
S1171 OilCheck

OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.[11]
S1168 SampleCheck5000

SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration.[12][11]

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data.

Analytic 1 - Detecting Large File Uploads to Web Services

(EventCode="FileUploaded" OR EventCode="PutObject" OR source="O365_audit" OR source="Google_Admin_Logs")| where (file_size > 5000000) // Detects files larger than 5MB
| stats count by _time, host, user, action, service_name, file_size| where count >= 3| eval risk_score=case( file_size > 50000000, 9, // High-risk large file transfer file_size > 5000000, 8)| where risk_score >= 8| table _time, host, user, action, service_name, file_size, risk_score
DS0017 Command Command Execution

Monitor for execution of cloud storage CLI tools (e.g., AWS CLI, rclone, gdrive, azcopy, gsutil), scripts automating file transfers to cloud services, or use of PowerShell or Bash to upload files to external web services.

Analytic 1 - Detecting Web Service File Upload via CLI Tools

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("rclone copy", "aws s3 cp", "gsutil cp", "azcopy copy", "curl -T", "wget --post-file"))| eval risk_score=case( command IN ("rclone copy", "aws s3 cp"), 9, command IN ("curl -T", "wget --post-file"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score
DS0022 File File Access

Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Analytic 1 - Detecting File Staging Before Web Service Upload

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/tmp/", "/var/tmp/", "/home//Downloads/", "C:\Users\\Documents\exfil"))| eval risk_score=case( file_path LIKE "/tmp/%", 9, file_path LIKE "C:\Users\\Documents\exfil", 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections to web and cloud services associated with abnormal or non-browser processes.

Analytic 1 - Detecting Large Data Transfers to Web Services

(EventCode=3 OR source="zeek_conn.log" OR source="firewall_logs")| where (dest_ip IN (known_cloud_services) AND bytes_out > 5000000)| stats count, sum(bytes_out) as total_bytes by _time, host, process, dest_ip| where total_bytes > 50000000| eval risk_score=case( total_bytes > 100000000, 9, total_bytes > 50000000, 8)| where risk_score >= 8| table host, dest_ip, total_bytes, risk_score
Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

  1. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  2. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  3. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  4. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  5. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  6. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  1. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  2. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  3. Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.
  4. Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020.
  5. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  6. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.