T1567 Exfiltration Over Web Service
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
| Item | Value |
|---|---|
| ID | T1567 |
| Sub-techniques | T1567.001, T1567.002, T1567.003 |
| Tactics | TA0010 |
| Platforms | Linux, Windows, macOS |
| Version | 1.2 |
| Created | 09 March 2020 |
| Last Modified | 19 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0622 | AppleSeed | AppleSeed has exfiltrated files using web services.2 |
| G0007 | APT28 | APT28 can exfiltrate data over Google Drive.5 |
| C0017 | C0017 | During C0017, APT41 used Cloudflare services for data exfiltration.6 |
| S0547 | DropBook | DropBook has used legitimate web services to exfiltrate data.1 |
| G0059 | Magic Hound | Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.4 |
| S0508 | Ngrok | Ngrok has been used by threat actors to configure servers for data exfiltration.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1057 | Data Loss Prevention | Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers. |
| M1021 | Restrict Web-Based Content | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0029 | Network Traffic | Network Connection Creation |
References
-
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020. ↩
-
Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023. ↩
-
Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. ↩
-
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. ↩