Skip to content

DET0153 Detection Strategy for Exfiltration Over Webhook

Item Value
ID DET0153
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1567.004 (Exfiltration Over Webhook)

Analytics

Windows

AN0436

Unusual processes (e.g., powershell.exe, wscript.exe, mshta.exe) posting data to webhook endpoints (Discord, Slack, webhook.site) using HTTP POST/PUT requests. Defender perspective: suspicious process lineage followed by outbound HTTPS traffic to webhook domains.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Mutable Elements
Field Description
WebhookDomains Domains to monitor such as discord.com/api/webhooks, slack.com/api, webhook.site.
UploadSizeThreshold Threshold for abnormal data sent via webhook requests.
ApprovedApps List of approved business apps using webhooks to reduce noise.

Linux

AN0437

Processes such as curl, wget, or custom scripts initiating POST requests to webhook endpoints with encoded or bulk data. Defender perspective: abnormal chaining of file compression or access followed by outbound data to webhook URLs.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE curl -X POST, wget –post-data
File Access (DC0055) auditd:SYSCALL read/open of sensitive files
Network Traffic Content (DC0085) NSM:Flow large HTTPS POST requests to webhook endpoints
Mutable Elements
Field Description
AllowedTools Expected command-line utilities allowed to interact with webhooks in enterprise environments.
TimeWindow Expected timeframe for legitimate webhook traffic (e.g., CI/CD deployments).

macOS

AN0438

Unexpected apps or scripts (osascript, curl, Automator workflows) exfiltrating data via webhooks. Defender perspective: correlation of clipboard/file read operations followed by HTTPS POST traffic to webhook services.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog execution of osascript, curl, or unexpected automation
File Access (DC0055) macos:unifiedlog file read of sensitive directories
Network Traffic Flow (DC0078) macos:unifiedlog HTTPS POST to known webhook URLs
Mutable Elements
Field Description
WebhookEndpoints Webhook URLs monitored for exfiltration.
EntropyThreshold High entropy payloads may indicate encoded/encrypted exfiltration.

ESXi

AN0439

VMware services or management daemons generating HTTP POST requests to webhook endpoints, chained with unusual datastore or log access. Defender perspective: exfiltration from VM logs or disk images over webhook URLs.

Log Sources
Data Component Name Channel
File Access (DC0055) esxi:hostd datastore file access
Network Traffic Content (DC0085) esxi:vmkernel HTTPS POST connections to webhook endpoints
Mutable Elements
Field Description
DatastoreExfilThreshold Minimum data volume to flag exfiltration attempts from VM files.
ApprovedIntegrations Whitelisted CI/CD or automation webhooks tied to vSphere/ESXi.

SaaS

AN0440

Suspicious SaaS tenant activity involving webhook configurations pointing to external or untrusted domains. Defender perspective: repeated automated exports or suspicious webhook endpoint registrations.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Set-Mailbox, Add-InboxRule, RegisterWebhook
Network Traffic Flow (DC0078) saas:api Webhook registrations or repeated POST activity
Mutable Elements
Field Description
WebhookRegistrations Monitor new webhook creation events in SaaS environments.
ExternalDomains Flag webhooks pointing to domains not owned by the enterprise.