DET0548 Detection Strategy for Exfiltration Over Web Service

Item	Value
ID	DET0548
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1567 (Exfiltration Over Web Service)

Analytics

Windows

AN1511

Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive).

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
MonitoredServices	List of legitimate web services to baseline (Dropbox, OneDrive, Google Drive).
ExfilVolumeThreshold	Outbound data threshold for flagging unusual activity, tunable by environment.
TimeWindow	Aggregation period to calculate anomalies in outbound data volume.

Linux

AN1512

Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	auditd:EXECVE	curl or wget with POST/PUT options
File Access (DC0055)	auditd:SYSCALL	open/read of sensitive directories (/etc, /home/*)
Network Traffic Flow (DC0078)	NSM:Flow	sustained outbound HTTPS sessions with high data volume

Mutable Elements

Field	Description
MonitoredTools	Suspicious command-line utilities used for exfiltration (curl, wget, python).
DataVolumeThreshold	Bytes transferred threshold per session to flag unusual uploads.

macOS

AN1513

Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview).

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	execution of Office binaries with network activity
File Access (DC0055)	macos:unifiedlog	read/write of user documents prior to upload
Network Traffic Content (DC0085)	macos:unifiedlog	outbound TLS connections to cloud storage providers

Mutable Elements

Field	Description
WatchedApplications	Applications not expected to perform bulk data transfers (Office apps, Preview).

SaaS

AN1514

Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	m365:unified	FileUploaded or FileCopied events
Network Traffic Content (DC0085)	saas:box	API calls exceeding baseline thresholds

Mutable Elements

Field	Description
APICallThreshold	Maximum number of API calls per user/session before triggering alert.
UserBaselineProfiles	Baseline normal data transfer patterns by user/role.

ESXi

AN1515

ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer.

Log Sources

Data Component	Name	Channel
Network Connection Creation (DC0082)	esxi:vmkernel	network session initiation with external HTTPS services
File Access (DC0055)	esxi:hostd	file copy or datastore upload via HTTPS

Mutable Elements

Field	Description
DatastoreTransferThreshold	Threshold for outbound transfers from ESXi datastores.