Skip to content

T1567 Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Item Value
ID T1567
Sub-techniques T1567.001, T1567.002, T1567.003
Tactics TA0010
Platforms Linux, Windows, macOS
Version 1.2
Created 09 March 2020
Last Modified 19 October 2022

Procedure Examples

ID Name Description
S0622 AppleSeed AppleSeed has exfiltrated files using web services.2
G0007 APT28 APT28 can exfiltrate data over Google Drive.5
C0017 C0017 During C0017, APT41 used Cloudflare services for data exfiltration.6
S0547 DropBook DropBook has used legitimate web services to exfiltrate data.1
G0059 Magic Hound Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.4
S0508 Ngrok Ngrok has been used by threat actors to configure servers for data exfiltration.3


ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.
M1021 Restrict Web-Based Content Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Connection Creation