Description
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Platforms
Sub-Techniques (4)
Exfiltration to Code Repository
T1567.002Exfiltration to Cloud Storage
T1567.003Exfiltration to Text Storage Sites
T1567.004Exfiltration Over Webhook
Mitigations (2)
Restrict Web-Based ContentM1021
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
Data Loss PreventionM1057
Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used the Telegram API `sendMessage` to relay data on compromised devices.(Citation: Google Ir... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has leveraged Telegram API to exfiltrate stolen data.(Citation: ESET Contagious Intervie... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) can exfiltrate data over Google Drive.(Citation: TrendMicro Pawn Storm Dec 2020) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has used services such as `anonymfiles.com` and `file.io` to exfiltrate victim data.(Citation: Picu... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S1171 | OilCheck | Malware | [OilCheck](https://attack.mitre.org/software/S1171) can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account... |
| S0547 | DropBook | Malware | [DropBook](https://attack.mitre.org/software/S0547) has used legitimate web services to exfiltrate data.(Citation: BleepingComputer Molerats Dec 2020) |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has exfiltrated files using web services.(Citation: KISA Operation Muzabi) |
| S0508 | ngrok | Tool | [ngrok](https://attack.mitre.org/software/S0508) has been used by threat actors to configure servers for data exfiltration.(Citation: MalwareBytes Ngr... |
| S1168 | SampleCheck5000 | Malware | [SampleCheck5000](https://attack.mitre.org/software/S1168) can use the Microsoft Office Exchange Web Services API to access an actor-controlled accoun... |
| S1179 | Exbyte | Malware | [Exbyte](https://attack.mitre.org/software/S1179) exfiltrates collected data to online file hosting sites such as `Mega.co.nz`.(Citation: Symantec Bla... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.(... |
Frequently Asked Questions
What is T1567 (Exfiltration Over Web Service)?
T1567 is a MITRE ATT&CK technique named 'Exfiltration Over Web Service'. It belongs to the Exfiltration tactic(s). Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may...
How can T1567 be detected?
Detection of T1567 (Exfiltration Over Web Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1567?
There are 2 documented mitigations for T1567. Key mitigations include: Restrict Web-Based Content, Data Loss Prevention.
Which threat groups use T1567?
Known threat groups using T1567 include: Magic Hound, Contagious Interview, APT28, BlackByte.