T1567

Exfiltration Over Web Service

Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).

Microsoft Sentinel / Defender

kusto

let KnownExfilDomains = dynamic([
  "api.telegram.org",
  "discord.com",
  "discordapp.com",
  "mega.co.nz",
  "mega.nz",
  "file.io",
  "transfer.sh",
  "gofile.io",
  "anonymfiles.com",
  "anonfiles.com",
  "ufile.io",
  "pixeldrain.com",
  "paste.ee",
  "pastebin.com",
  "hastebin.com",
  "rentry.co",
  "ghostbin.com",
  "privatbin.net",
  "ngrok.io",
  "ngrok-free.app",
  "serveo.net"
]);
let CloudStorageDomains = dynamic([
  "content.dropboxapi.com",
  "api.dropboxapi.com",
  "www.googleapis.com",
  "drive.google.com",
  "graph.microsoft.com",
  "onedrive.live.com",
  "api.github.com",
  "gitlab.com",
  "bitbucket.org",
  "s3.amazonaws.com",
  "storage.googleapis.com"
]);
let SuspiciousUploadProcesses = dynamic([
  "curl.exe", "curl", "wget", "wget.exe",
  "powershell.exe", "pwsh.exe",
  "python.exe", "python3", "python3.exe",
  "node.exe", "node",
  "wscript.exe", "cscript.exe",
  "certutil.exe", "bitsadmin.exe"
]);
// Branch 1: Direct connections to known file-sharing / messaging exfil services
let DirectExfilConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (KnownExfilDomains) or RemoteIPType == "Public"
| where RemoteUrl has_any (KnownExfilDomains)
| extend ExfilCategory = case(
    RemoteUrl has_any ("telegram"), "Messaging API",
    RemoteUrl has_any ("discord"), "Messaging API",
    RemoteUrl has_any ("mega", "file.io", "transfer.sh", "gofile", "anonymfiles", "anonfiles", "ufile", "pixeldrain"), "File Sharing",
    RemoteUrl has_any ("pastebin", "hastebin", "rentry", "ghostbin", "paste.ee", "privatbin"), "Paste Site",
    RemoteUrl has_any ("ngrok", "serveo"), "Tunnel Service",
    "Other"
  )
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         RemoteUrl, RemoteIP, RemotePort, BytesSent, BytesReceived,
         ExfilCategory;
// Branch 2: High-volume uploads to cloud storage from unusual processes
let CloudStorageHighVolume = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (CloudStorageDomains)
| where InitiatingProcessFileName in~ (SuspiciousUploadProcesses)
| where BytesSent > 1048576 // > 1MB upload
| extend ExfilCategory = "Cloud Storage Upload"
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         RemoteUrl, RemoteIP, RemotePort, BytesSent, BytesReceived,
         ExfilCategory;
// Branch 3: Aggregate large data sent to any single public IP from scripting engines
let AggregatedExfilAttempts = DeviceNetworkEvents
| where Timestamp > ago(1h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (SuspiciousUploadProcesses)
| summarize TotalBytesSent=sum(BytesSent), TotalBytesReceived=sum(BytesReceived),
            ConnectionCount=count(), UniqueRemoteIPs=dcount(RemoteIP)
            by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 1h)
| where TotalBytesSent > 10485760 // > 10MB total in 1 hour
| extend ExfilCategory = "Bulk Upload Detected"
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         TotalBytesSent, TotalBytesReceived, ConnectionCount, UniqueRemoteIPs,
         ExfilCategory;
union DirectExfilConnections, CloudStorageHighVolume
| union (AggregatedExfilAttempts | extend RemoteUrl="", RemoteIP="", RemotePort=0, BytesSent=TotalBytesSent, BytesReceived=TotalBytesReceived)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Developers legitimately pushing code to GitHub, GitLab, or Bitbucket from workstations — especially large repositories or LFS objects
IT automation scripts (SCCM, Intune, Ansible) uploading diagnostics or configuration files to cloud storage like OneDrive or S3
Employees using Telegram, Discord, or Slack Desktop apps to share work files — the initiating process may be a browser or Electron app
Backup agents uploading to cloud storage providers (Dropbox, OneDrive, Google Drive sync clients) which generate continuous high-volume traffic
Security tools or monitoring agents sending telemetry to SaaS platforms with large payloads

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval DestinationHostname=lower(DestinationHostname)
| eval Image=lower(Image)
| eval ExfilCategory=case(
    match(DestinationHostname, "api\.telegram\.org"), "Messaging API - Telegram",
    match(DestinationHostname, "(discord\.com|discordapp\.com)"), "Messaging API - Discord",
    match(DestinationHostname, "(mega\.co\.nz|mega\.nz)"), "File Sharing - Mega",
    match(DestinationHostname, "(file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com)"), "File Sharing Service",
    match(DestinationHostname, "(pastebin\.com|hastebin\.com|rentry\.co|paste\.ee|ghostbin\.com|privatbin\.net)"), "Paste/Text Storage Site",
    match(DestinationHostname, "(ngrok\.io|ngrok-free\.app|serveo\.net)"), "Tunnel Service",
    match(DestinationHostname, "(content\.dropboxapi\.com|api\.dropboxapi\.com)"), "Cloud Storage - Dropbox",
    match(DestinationHostname, "(www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com)"), "Cloud Storage - Google",
    match(DestinationHostname, "(graph\.microsoft\.com|onedrive\.live\.com)"), "Cloud Storage - Microsoft",
    match(DestinationHostname, "(api\.github\.com|gitlab\.com|bitbucket\.org)"), "Code Repository",
    1=1, null()
  )
| where isnotnull(ExfilCategory)
| eval SuspiciousProcess=if(
    match(Image, "(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)"),
    1, 0
  )
| eval HighRisk=if(SuspiciousProcess=1 AND match(ExfilCategory, "(File Sharing|Paste|Tunnel|Messaging)"), 1, 0)
| eval MediumRisk=if(SuspiciousProcess=0 AND match(ExfilCategory, "(File Sharing|Paste|Tunnel)"), 1, 0)
| eval RiskLevel=case(HighRisk=1, "HIGH", MediumRisk=1, "MEDIUM", 1=1, "LOW")
| stats count as ConnectionCount,
        values(DestinationHostname) as DestHostnames,
        values(DestinationPort) as DestPorts,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by host, User, Image, CommandLine, ExfilCategory, RiskLevel
| sort - RiskLevel, - ConnectionCount
| table _time, host, User, Image, CommandLine, ExfilCategory, RiskLevel, ConnectionCount, DestHostnames, DestPorts, FirstSeen, LastSeen

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers legitimately committing large files to GitHub or GitLab repositories from command line git clients
Employees using messaging apps (Discord, Telegram Desktop) to share work files — initiating process will be the application binary
IT staff using curl or wget to upload diagnostic bundles to cloud storage for vendor support cases
Cloud sync agents (Dropbox, OneDrive client) generating continuous high-volume connections to cloud storage APIs
Security researchers or pentesters legitimately testing connectivity to public file-sharing sites from test systems

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  CATEGORYNAME(category) AS EventCategory,
  "sourceprocessname" AS ProcessName,
  "CommandLine" AS CommandLine,
  destinationhostname AS DestinationHostname,
  destinationip AS DestinationIP,
  destinationport AS DestinationPort,
  LONG("BytesSent") AS BytesSent,
  CASE
    WHEN destinationhostname MATCHES '(api\.telegram\.org)' THEN 'Messaging API - Telegram'
    WHEN destinationhostname MATCHES '(discord\.com|discordapp\.com)' THEN 'Messaging API - Discord'
    WHEN destinationhostname MATCHES '(mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com)' THEN 'File Sharing Service'
    WHEN destinationhostname MATCHES '(pastebin\.com|hastebin\.com|rentry\.co|paste\.ee|ghostbin\.com|privatbin\.net)' THEN 'Paste/Text Storage'
    WHEN destinationhostname MATCHES '(ngrok\.io|ngrok-free\.app|serveo\.net)' THEN 'Tunnel Service'
    WHEN destinationhostname MATCHES '(content\.dropboxapi\.com|api\.dropboxapi\.com)' THEN 'Cloud Storage - Dropbox'
    WHEN destinationhostname MATCHES '(www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com)' THEN 'Cloud Storage - Google'
    WHEN destinationhostname MATCHES '(graph\.microsoft\.com|onedrive\.live\.com)' THEN 'Cloud Storage - Microsoft'
    WHEN destinationhostname MATCHES '(api\.github\.com|gitlab\.com|bitbucket\.org)' THEN 'Code Repository'
    WHEN destinationhostname MATCHES '(s3\.amazonaws\.com)' THEN 'Cloud Storage - AWS S3'
    ELSE 'Unknown'
  END AS ExfilCategory
FROM events
WHERE
  starttime > NOW() - 86400 SECONDS
  AND (
    destinationhostname MATCHES '(api\.telegram\.org|discord\.com|discordapp\.com|mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com|pastebin\.com|hastebin\.com|rentry\.co|paste\.ee|ghostbin\.com|privatbin\.net|ngrok\.io|ngrok-free\.app|serveo\.net|content\.dropboxapi\.com|api\.dropboxapi\.com|www\.googleapis\.com|drive\.google\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.github\.com|gitlab\.com|bitbucket\.org|s3\.amazonaws\.com|storage\.googleapis\.com)'
    OR (
      "sourceprocessname" IMATCHES '(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)'
      AND LONG("BytesSent") > 1048576
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Network Activity (flows) Sysmon via Windows Log Source Endpoint event log sources

Required Tables

events flows

False Positives

Authorized DevOps pipelines using curl or Python to push build artifacts to AWS S3 or Google Cloud Storage
Employees legitimately sharing large files via sanctioned OneDrive or Dropbox corporate accounts as part of normal business workflows
Security operations tooling (e.g., SOAR playbooks, threat intel scripts) that upload indicators or reports to external sharing platforms

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*windows* OR _sourceCategory=*endpoint*
| where EventCode = 3
| parse regex field=Image "(?<ProcessName>[^\\\\]+)$" nodrop
| toLowerCase ProcessName
| toLowerCase DestinationHostname
| where DestinationHostname matches "*api.telegram.org*"
  OR DestinationHostname matches "*discord.com*"
  OR DestinationHostname matches "*discordapp.com*"
  OR DestinationHostname matches "*mega.co.nz*"
  OR DestinationHostname matches "*mega.nz*"
  OR DestinationHostname matches "*file.io*"
  OR DestinationHostname matches "*transfer.sh*"
  OR DestinationHostname matches "*gofile.io*"
  OR DestinationHostname matches "*anonymfiles.com*"
  OR DestinationHostname matches "*anonfiles.com*"
  OR DestinationHostname matches "*ufile.io*"
  OR DestinationHostname matches "*pixeldrain.com*"
  OR DestinationHostname matches "*pastebin.com*"
  OR DestinationHostname matches "*hastebin.com*"
  OR DestinationHostname matches "*rentry.co*"
  OR DestinationHostname matches "*paste.ee*"
  OR DestinationHostname matches "*ghostbin.com*"
  OR DestinationHostname matches "*privatbin.net*"
  OR DestinationHostname matches "*ngrok.io*"
  OR DestinationHostname matches "*ngrok-free.app*"
  OR DestinationHostname matches "*serveo.net*"
  OR DestinationHostname matches "*dropboxapi.com*"
  OR DestinationHostname matches "*googleapis.com*"
  OR DestinationHostname matches "*drive.google.com*"
  OR DestinationHostname matches "*graph.microsoft.com*"
  OR DestinationHostname matches "*onedrive.live.com*"
  OR DestinationHostname matches "*api.github.com*"
  OR DestinationHostname matches "*gitlab.com*"
  OR DestinationHostname matches "*bitbucket.org*"
  OR DestinationHostname matches "*s3.amazonaws.com*"
| eval ExfilCategory = if(DestinationHostname matches "*telegram*", "Messaging API - Telegram",
    if(DestinationHostname matches "*discord*", "Messaging API - Discord",
    if(DestinationHostname matches "*mega*" OR DestinationHostname matches "*file.io*" OR DestinationHostname matches "*transfer.sh*" OR DestinationHostname matches "*gofile*" OR DestinationHostname matches "*anonfiles*" OR DestinationHostname matches "*ufile*" OR DestinationHostname matches "*pixeldrain*", "File Sharing Service",
    if(DestinationHostname matches "*pastebin*" OR DestinationHostname matches "*hastebin*" OR DestinationHostname matches "*rentry*" OR DestinationHostname matches "*paste.ee*" OR DestinationHostname matches "*ghostbin*" OR DestinationHostname matches "*privatbin*", "Paste/Text Storage",
    if(DestinationHostname matches "*ngrok*" OR DestinationHostname matches "*serveo*", "Tunnel Service",
    if(DestinationHostname matches "*dropbox*", "Cloud Storage - Dropbox",
    if(DestinationHostname matches "*google*", "Cloud Storage - Google",
    if(DestinationHostname matches "*microsoft*" OR DestinationHostname matches "*onedrive*", "Cloud Storage - Microsoft",
    if(DestinationHostname matches "*github*" OR DestinationHostname matches "*gitlab*" OR DestinationHostname matches "*bitbucket*", "Code Repository",
    if(DestinationHostname matches "*amazonaws*", "Cloud Storage - AWS", "Other"))))))))))
| eval SuspiciousProcess = if(ProcessName matches "*curl*" OR ProcessName matches "*wget*" OR ProcessName matches "*powershell*" OR ProcessName matches "*pwsh*" OR ProcessName matches "*python*" OR ProcessName matches "*node*" OR ProcessName matches "*wscript*" OR ProcessName matches "*cscript*" OR ProcessName matches "*certutil*" OR ProcessName matches "*bitsadmin*", 1, 0)
| eval RiskLevel = if(SuspiciousProcess = 1 AND (ExfilCategory matches "*File Sharing*" OR ExfilCategory matches "*Paste*" OR ExfilCategory matches "*Tunnel*" OR ExfilCategory matches "*Messaging*"), "HIGH",
    if(SuspiciousProcess = 0 AND (ExfilCategory matches "*File Sharing*" OR ExfilCategory matches "*Paste*" OR ExfilCategory matches "*Tunnel*"), "MEDIUM", "LOW"))
| stats count as ConnectionCount, values(DestinationHostname) as DestHostnames, earliest(_messageTime) as FirstSeen, latest(_messageTime) as LastSeen by _sourceHost, User, ProcessName, CommandLine, ExfilCategory, RiskLevel
| sort by RiskLevel, -ConnectionCount

high severity medium confidence

Data Sources

Sysmon (Event ID 3 - Network Connection) Windows Event Logs

Required Tables

Sysmon Network Events (_sourceCategory=*sysmon*)

False Positives

Software update mechanisms or package managers (npm, pip, composer) that legitimately fetch packages from GitHub, GitLab, or googleapis.com during build or install steps
Collaboration tools running as background services that use Discord, Telegram bots, or webhook integrations for legitimate ChatOps or alerting purposes
Backup or sync agents installed by IT (e.g., OneDrive client, Google Drive Sync) that generate high-frequency connections and large transfers to cloud storage APIs

Google Chronicle / SecOps

yaral

rule t1567_exfiltration_over_web_service {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects exfiltration over web services (T1567) — connections from suspicious processes to known file-sharing, messaging, paste, tunnel, and cloud storage domains, or high-volume uploads from LOLBin processes."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1567"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.principal.process.file.full_path != ""

    // Match on known exfiltration domains OR cloud storage domains
    (
      re.regex($e.target.hostname, `(?i)(api\.telegram\.org|discord\.com|discordapp\.com|mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com|paste\.ee|pastebin\.com|hastebin\.com|rentry\.co|ghostbin\.com|privatbin\.net|ngrok\.io|ngrok-free\.app|serveo\.net)`) or
      re.regex($e.target.hostname, `(?i)(content\.dropboxapi\.com|api\.dropboxapi\.com|www\.googleapis\.com|drive\.google\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.github\.com|gitlab\.com|bitbucket\.org|s3\.amazonaws\.com|storage\.googleapis\.com)`)
    )

    // Initiated by a suspicious upload-capable process
    re.regex($e.principal.process.file.full_path, `(?i)(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM Endpoint telemetry forwarded to Chronicle Network telemetry (DNS, HTTP metadata)

Required Tables

NETWORK_CONNECTION UDM events

False Positives

Automated CI/CD pipelines using Python or Node.js to deploy releases to GitHub releases, GitLab CI artifacts, or AWS S3 buckets as part of normal software delivery
System administration scripts using curl or PowerShell to upload logs, diagnostics, or configuration snapshots to authorized cloud storage for troubleshooting
End-user productivity applications such as the Slack desktop client or VS Code extensions that internally invoke curl or node to communicate with external APIs

CrowdStrike LogScale (CQL)

cql

// T1567 - Exfiltration Over Web Service
// Branch 1: Known exfil/file-sharing domains contacted by suspicious processes
#event_simpleName = NetworkConnectIP4
| DestinationHostname = /(?i)(api\.telegram\.org|discord\.com|discordapp\.com|mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com|paste\.ee|pastebin\.com|hastebin\.com|rentry\.co|ghostbin\.com|privatbin\.net|ngrok\.io|ngrok-free\.app|serveo\.net|content\.dropboxapi\.com|api\.dropboxapi\.com|www\.googleapis\.com|drive\.google\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.github\.com|gitlab\.com|bitbucket\.org|s3\.amazonaws\.com|storage\.googleapis\.com)/
| ImageFileName = /(?i)(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)/
| ExfilCategory := case {
    DestinationHostname = /telegram/, "Messaging API - Telegram" ;
    DestinationHostname = /discord/, "Messaging API - Discord" ;
    DestinationHostname = /(mega|file\.io|transfer\.sh|gofile|anonfiles|ufile|pixeldrain)/, "File Sharing Service" ;
    DestinationHostname = /(pastebin|hastebin|rentry|paste\.ee|ghostbin|privatbin)/, "Paste/Text Storage" ;
    DestinationHostname = /(ngrok|serveo)/, "Tunnel Service" ;
    DestinationHostname = /dropbox/, "Cloud Storage - Dropbox" ;
    DestinationHostname = /google/, "Cloud Storage - Google" ;
    DestinationHostname = /(microsoft|onedrive)/, "Cloud Storage - Microsoft" ;
    DestinationHostname = /(github|gitlab|bitbucket)/, "Code Repository" ;
    DestinationHostname = /amazonaws/, "Cloud Storage - AWS" ;
    * , "Other"
  }
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, DestinationHostname, ExfilCategory], function=[count(as=ConnectionCount), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| sort(ConnectionCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor Falcon Network Containment telemetry

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

DevOps engineers running local scripts using curl or Python to interact with GitHub APIs for repository management, release automation, or CI integration
Security teams using PowerShell or Python tooling to upload threat intelligence reports or IOC feeds to external platforms like VirusTotal, MISP, or sharing portals
Corporate-sanctioned backup software built on Python or Node.js that periodically syncs file system contents to cloud storage providers (Google Drive, OneDrive, S3)

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exfiltration Over Web Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Exfiltration

Popular Detections