Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

ID: T1567
Sub-techniques:  T1567.001, T1567.002
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Requires Network:  Yes
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 can exfiltrate data over Google Drive.[1]

S0547 DropBook

DropBook has used legitimate web services to exfiltrate data.[2]

S0508 Ngrok

Ngrok has been used by threat actors to configure servers for data exfiltration.[3]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

References