Applied Cybernetics Group
T1567 — Exfiltration Over Web Service
- Technique
T1567- Tactics
- Exfiltration
- MISP citations
- 0
- KEV CVEs mapped
- 3
- Community rules
- 12
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1567
MITRE description
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Potential Data Exfiltration Via Curl.EXE (threat-hunting)
- Communication To Ngrok Tunneling Service - Linux (core)
- Suspicious Curl File Upload - Linux (core)
- Monero Crypto Coin Mining Pool Lookup (core)
- Network Connection Initiated To BTunnels Domains (core)
- Network Connection Initiated To Cloudflared Tunnels Domains (core)
- Communication To Ngrok Tunneling Service Initiated (core)
- Process Initiated Network Connection To Ngrok Domain (core)
- Suspicious Non-Browser Network Communication With Telegram API (core)
- Network Connection Initiated To Visual Studio Code Tunnels Domain (core)
- Arbitrary File Download Via ConfigSecurityPolicy.EXE (core)
- LOLBAS Data Exfiltration by DataSvcUtil.exe (core)