Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
| ID | Name | Description |
|---|---|---|
| S0622 | AppleSeed | |
| G0007 | APT28 | |
| C0017 | C0017 |
During C0017, APT41 used Cloudflare services for data exfiltration.[3] |
| S0547 | DropBook |
DropBook has used legitimate web services to exfiltrate data.[4] |
| G0059 | Magic Hound |
Magic Hound has used the Telegram API |
| S0508 | ngrok |
ngrok has been used by threat actors to configure servers for data exfiltration.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1057 | Data Loss Prevention |
Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers. |
| M1021 | Restrict Web-Based Content |
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data. |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
| DS0022 | File | File Access |
Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections to web and cloud services associated with abnormal or non-browser processes. |
| Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |