T1567.004

Exfiltration Over Webhook

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains.

Microsoft Sentinel / Defender

kusto

let WebhookDomains = dynamic([
  "discord.com", "discordapp.com",
  "hooks.slack.com", "slack.com",
  "webhook.site", "webhooks.site",
  "outlook.office.com", "outlook.office365.com",
  "pipedream.net", "requestbin.com", "requestcatcher.com",
  "hookbin.com", "beeceptor.com", "smee.io",
  "ntfy.sh", "pushover.net"
]);
let SuspiciousInitiators = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe",
  "python.exe", "python3", "node.exe",
  "curl.exe", "wget.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe",
  "bitsadmin.exe", "certutil.exe"
]);
// Signal 1: Network connections to webhook domains from suspicious processes
let WebhookNetworkHits = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebhookDomains)
  or RemoteUrl matches regex @"/api/webhooks/\d+/"
  or RemoteUrl has "/services/T"
| where InitiatingProcessFileName in~ (SuspiciousInitiators)
| extend Signal = "WebhookNetConn"
| extend WebhookDomain = RemoteUrl
| project Timestamp, DeviceName, AccountName, Signal,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RemoteUrl, RemoteIP, RemotePort, BytesSent, BytesReceived,
    WebhookDomain;
// Signal 2: Large outbound transfers to webhook domains (any process, high volume)
let WebhookLargeTransfer = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebhookDomains)
  or RemoteUrl matches regex @"/api/webhooks/\d+/"
  or RemoteUrl has "/services/T"
| where BytesSent > 1048576  // > 1MB sent
| extend Signal = "WebhookLargeTransfer"
| extend WebhookDomain = RemoteUrl
| project Timestamp, DeviceName, AccountName, Signal,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RemoteUrl, RemoteIP, RemotePort, BytesSent, BytesReceived,
    WebhookDomain;
// Signal 3: Process command lines containing webhook URL patterns
let WebhookCmdLine = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine matches regex @"(discord\.com/api/webhooks|hooks\.slack\.com/services|webhook\.site|outlook\.office(\.com|365\.com)/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh)"
| extend Signal = "WebhookCmdLine"
| extend WebhookDomain = extract(@"https?://([^/]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, Signal,
    FileName as InitiatingProcessFileName, ProcessCommandLine as InitiatingProcessCommandLine,
    RemoteUrl="(from cmdline)", RemoteIP="", RemotePort=0, BytesSent=0, BytesReceived=0,
    WebhookDomain;
union WebhookNetworkHits, WebhookLargeTransfer, WebhookCmdLine
| summarize
    Signals=make_set(Signal),
    SignalCount=dcount(Signal),
    TotalBytesSent=sum(BytesSent),
    WebhookTargets=make_set(WebhookDomain),
    CommandLines=make_set(InitiatingProcessCommandLine),
    FirstSeen=min(Timestamp),
    LastSeen=max(Timestamp),
    EventCount=count()
    by DeviceName, AccountName, InitiatingProcessFileName
| extend MultiSignal = SignalCount > 1
| sort by SignalCount desc, TotalBytesSent desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Legitimate DevOps and CI/CD pipelines posting build status notifications to Slack or Teams webhooks via scripts or pipeline agents
IT monitoring and alerting tools (PagerDuty integrations, Grafana alerting, custom scripts) sending operational alerts to collaboration webhooks
Developer workstations testing webhook integrations during application development, especially when using webhook.site or requestbin as debug targets
Authorized security tools performing phishing simulations or red team exercises that post results to team notification webhooks
Business automation scripts (Zapier alternatives, custom workflow tools) that legitimately transfer structured data to webhooks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=3))
| eval WebhookPattern=if(
    match(lower(coalesce(CommandLine, DestinationHostname, """"),
    "(discord\.com/api/webhooks|hooks\.slack\.com|webhook\.site|outlook\.office\.com/webhook|outlook\.office365\.com/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh|smee\.io|requestcatcher\.com)"
    ), 1, 0)
| eval SuspiciousProcess=if(
    match(lower(coalesce(Image, """"),
    "(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)"
    ), 1, 0)
| eval IsNetworkEvent=if(EventCode=3, 1, 0)
| eval IsProcessEvent=if(EventCode=1, 1, 0)
| eval WebhookNetConn=if(IsNetworkEvent=1 AND WebhookPattern=1, 1, 0)
| eval WebhookCmdLine=if(IsProcessEvent=1 AND WebhookPattern=1, 1, 0)
| eval SuspiciousWebhookNet=if(WebhookNetConn=1 AND SuspiciousProcess=1, 1, 0)
| where WebhookPattern=1 OR SuspiciousWebhookNet=1
| eval SignalType=case(
    SuspiciousWebhookNet=1, "SuspiciousProcessWebhookNetwork",
    WebhookNetConn=1, "WebhookNetworkConnection",
    WebhookCmdLine=1 AND SuspiciousProcess=1, "SuspiciousProcessWebhookCmdLine",
    WebhookCmdLine=1, "WebhookCmdLine",
    true(), "Other")
| eval TargetWebhook=coalesce(
    if(match(lower(coalesce(CommandLine,"""")), "discord\.com"), "discord", null()),
    if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "slack\.com"), "slack", null()),
    if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "outlook\.office"), "teams", null()),
    if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "webhook\.site"), "webhook.site", null()),
    if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "pipedream\.net"), "pipedream", null()),
    "other_webhook")
| stats
    count as EventCount,
    dc(SignalType) as UniqueSignals,
    values(SignalType) as Signals,
    values(TargetWebhook) as WebhookTargets,
    values(CommandLine) as CommandLines,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, User, Image
| where EventCount > 0
| eval Priority=case(UniqueSignals >= 2, "HIGH", UniqueSignals=1 AND mvcount(WebhookTargets) > 1, "HIGH", true(), "MEDIUM")
| sort - UniqueSignals EventCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate DevOps and CI/CD pipelines posting build status notifications to Slack or Teams webhooks via scripts or pipeline agents
IT monitoring and alerting tools (PagerDuty integrations, Grafana alerting, custom scripts) sending operational alerts to collaboration webhooks
Developer workstations testing webhook integrations during application development, especially when using webhook.site or requestbin as debug targets
Authorized security tools performing phishing simulations or red team exercises that post results to team notification webhooks
Business automation scripts that legitimately transfer structured data to webhooks as part of workflow integrations

Elastic Security (EQL)

eql

sequence by host.id, user.name with maxspan=10m
  [network where event.type == "connection" and
   (
     dns.question.name : ("discord.com", "discordapp.com", "hooks.slack.com", "slack.com", "webhook.site", "webhooks.site", "outlook.office.com", "outlook.office365.com", "pipedream.net", "requestbin.com", "requestcatcher.com", "hookbin.com", "beeceptor.com", "smee.io", "ntfy.sh", "pushover.net") or
     url.domain : ("discord.com", "discordapp.com", "hooks.slack.com", "webhook.site", "pipedream.net", "ntfy.sh") or
     url.path : ("/api/webhooks/*", "/services/T*")
   ) and
   process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "python.exe", "python3", "node.exe", "curl.exe", "wget.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "bitsadmin.exe", "certutil.exe")]
  [network where event.type == "connection" and
   (
     dns.question.name : ("discord.com", "discordapp.com", "hooks.slack.com", "slack.com", "webhook.site", "webhooks.site", "outlook.office.com", "outlook.office365.com", "pipedream.net", "requestbin.com", "requestcatcher.com", "hookbin.com", "beeceptor.com", "smee.io", "ntfy.sh", "pushover.net") or
     url.domain : ("discord.com", "discordapp.com", "hooks.slack.com", "webhook.site", "pipedream.net", "ntfy.sh")
   ) and network.bytes > 1048576]

/* Standalone rule for webhook URL patterns in process args */
/* any where event.category == "process" and event.type == "start" and
   process.command_line : ("*discord.com/api/webhooks*", "*hooks.slack.com/services*", "*webhook.site*", "*outlook.office.com/webhook*", "*outlook.office365.com/webhook*", "*pipedream.net*", "*requestbin.com*", "*hookbin.com*", "*beeceptor.com*", "*ntfy.sh*", "*smee.io*") */

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent network events Packetbeat Auditbeat

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* packetbeat-*

False Positives

Legitimate DevOps pipelines using curl or Python scripts to post build notifications or alerts to Slack or Teams webhooks as part of CI/CD workflows.
Security tools and monitoring scripts (e.g., Ansible, Terraform) that post status updates to webhook endpoints as part of infrastructure automation.
Developer workstations running Node.js or Python applications that legitimately integrate with Discord or Slack bots for chat notifications.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestPort,
  username AS UserName,
  "LOGSOURCENAME"(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS Category,
  devicehostname AS Hostname,
  LOWER("URL") AS WebhookURL,
  "ApplicationName" AS ProcessName,
  "CommandLine" AS CommandLine,
  SUM("Bytes Sent") AS TotalBytesSent,
  COUNT(*) AS EventCount,
  MIN(starttime) AS FirstSeen,
  MAX(starttime) AS LastSeen
FROM events
WHERE
  (
    LOWER("URL") ILIKE '%discord.com/api/webhooks%'
    OR LOWER("URL") ILIKE '%hooks.slack.com/services%'
    OR LOWER("URL") ILIKE '%webhook.site%'
    OR LOWER("URL") ILIKE '%webhooks.site%'
    OR LOWER("URL") ILIKE '%outlook.office.com/webhook%'
    OR LOWER("URL") ILIKE '%outlook.office365.com/webhook%'
    OR LOWER("URL") ILIKE '%pipedream.net%'
    OR LOWER("URL") ILIKE '%requestbin.com%'
    OR LOWER("URL") ILIKE '%requestcatcher.com%'
    OR LOWER("URL") ILIKE '%hookbin.com%'
    OR LOWER("URL") ILIKE '%beeceptor.com%'
    OR LOWER("URL") ILIKE '%smee.io%'
    OR LOWER("URL") ILIKE '%ntfy.sh%'
    OR LOWER("URL") ILIKE '%pushover.net%'
    OR LOWER("CommandLine") ILIKE '%discord.com/api/webhooks%'
    OR LOWER("CommandLine") ILIKE '%hooks.slack.com%'
    OR LOWER("CommandLine") ILIKE '%webhook.site%'
    OR LOWER("CommandLine") ILIKE '%pipedream.net%'
    OR LOWER("CommandLine") ILIKE '%ntfy.sh%'
  )
  AND (
    LOWER("ApplicationName") IN ('powershell.exe','pwsh.exe','cmd.exe','python.exe','python3','node.exe','curl.exe','wget.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe','certutil.exe','bitsadmin.exe')
    OR "Bytes Sent" > 1048576
  )
  AND LOGSOURCETYPEID IN (12, 352, 433)
GROUP BY
  sourceip, destinationip, destinationport, username, devicehostname, "URL", "ApplicationName", "CommandLine"
HAVING TotalBytesSent > 0 OR EventCount > 0
ORDER BY TotalBytesSent DESC, EventCount DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Network Activity Windows Security Event Log via WinCollect Sysmon via WinCollect Proxy/web gateway logs

Required Tables

events

False Positives

Automated notification scripts run by legitimate DevOps users sending deployment status messages to Slack or Teams webhooks from build servers.
Endpoint security or SIEM integration tools using curl or Python to forward alerts to collaboration platform webhooks for SOC triage workflows.
Web proxy or firewall logs capturing browser-based access to webhook.site or pipedream.net by developers testing integrations from their workstations.

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/process" OR _sourceCategory="proxy/web")
| where _raw matches "(?i)(discord\.com/api/webhooks|hooks\.slack\.com/services|webhook\.site|webhooks\.site|outlook\.office\.com/webhook|outlook\.office365\.com/webhook|pipedream\.net|requestbin\.com|requestcatcher\.com|hookbin\.com|beeceptor\.com|smee\.io|ntfy\.sh|pushover\.net)"
| parse regex field=_raw "(?i)(?:Image|process_name|Process)[\s=:\"]+(?P<ProcessName>[^\s\"\|,]+)" nodrop
| parse regex field=_raw "(?i)(?:CommandLine|command_line|cmdline)[\s=:\"]+(?P<CommandLine>[^\|\n]{0,512})" nodrop
| parse regex field=_raw "(?i)(?:DestinationHostname|dest_hostname|cs-host|url)[\s=:\"]+(?P<WebhookTarget>[^\s\"\|,]+)" nodrop
| parse regex field=_raw "(?i)(?:BytesSent|bytes_out|sc-bytes)[\s=:\"]+(?P<BytesSentStr>[0-9]+)" nodrop
| parse regex field=_raw "(?i)(?:User|username|AccountName)[\s=:\"]+(?P<UserName>[^\s\"\|,]+)" nodrop
| parse regex field=_raw "(?i)(?:hostname|ComputerName|host)[\s=:\"]+(?P<Hostname>[^\s\"\|,]+)" nodrop
| num(BytesSentStr) as BytesSent
| eval SuspiciousProcess = if(ProcessName matches "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|python3|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)", 1, 0)
| eval LargeTransfer = if(BytesSent > 1048576, 1, 0)
| eval WebhookCmdLine = if(CommandLine matches "(?i)(discord\.com/api/webhooks|hooks\.slack\.com|webhook\.site|pipedream\.net|ntfy\.sh)", 1, 0)
| eval SignalType = if(SuspiciousProcess = 1 and LargeTransfer = 1, "SuspiciousProcessLargeTransfer",
    if(SuspiciousProcess = 1, "SuspiciousProcessWebhookConn",
    if(WebhookCmdLine = 1, "WebhookInCommandLine",
    if(LargeTransfer = 1, "LargeTransferToWebhook", "WebhookContact"))))
| stats
    count as EventCount,
    sum(BytesSent) as TotalBytesSent,
    values(SignalType) as Signals,
    values(WebhookTarget) as WebhookTargets,
    values(CommandLine) as CommandLines,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
    by Hostname, UserName, ProcessName
| where EventCount > 0
| eval Priority = if(TotalBytesSent > 1048576, "HIGH", if(EventCount > 5, "HIGH", "MEDIUM"))
| sort by TotalBytesSent desc, EventCount desc

high severity medium confidence

Data Sources

Sysmon Windows Event Log (via Sumo Logic Installed Collector) Web proxy / Squid / BlueCoat access logs Windows DNS debug logs Endpoint telemetry via Sumo Logic agent

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/process _sourceCategory=proxy/web

False Positives

Slack or Teams bots running as services under scripting runtimes (Python, Node.js) that periodically post status updates to incoming webhooks configured by IT or operations teams.
Developer machines running test scripts against webhook.site, requestbin.com, or pipedream.net for HTTP integration testing during normal development workflows.
Security orchestration tools (SOAR platforms) using curl or Python SDKs to forward incident notifications to Slack or Teams channels via webhook URLs.

Google Chronicle / SecOps

yaral

rule exfiltration_over_webhook_t1567_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects exfiltration over webhook endpoints. Matches suspicious processes making network connections to known webhook domains, large outbound transfers to webhook URLs, and webhook URLs embedded in process command lines."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1567.004"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1567/004/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Signal 1: Suspicious process network connection to webhook domain
      (
        $e1.metadata.event_type = "NETWORK_CONNECTION"
        and (
          re.regex($e1.target.hostname, `(?i)(discord\.com|discordapp\.com|hooks\.slack\.com|slack\.com|webhook\.site|webhooks\.site|outlook\.office\.com|outlook\.office365\.com|pipedream\.net|requestbin\.com|requestcatcher\.com|hookbin\.com|beeceptor\.com|smee\.io|ntfy\.sh|pushover\.net)`) or
          re.regex($e1.network.http.request_url, `(?i)(/api/webhooks/\d+/|/services/T[A-Z0-9]+/)`)
        )
        and re.regex($e1.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|python3|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe|certutil\.exe)$`)
      ) or
      // Signal 2: Large outbound transfer to webhook domain (any process)
      (
        $e1.metadata.event_type = "NETWORK_CONNECTION"
        and (
          re.regex($e1.target.hostname, `(?i)(discord\.com|discordapp\.com|hooks\.slack\.com|webhook\.site|webhooks\.site|outlook\.office\.com|outlook\.office365\.com|pipedream\.net|requestbin\.com|hookbin\.com|ntfy\.sh)`)
        )
        and $e1.network.sent_bytes > 1048576
      ) or
      // Signal 3: Webhook URL in process command line
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.target.process.command_line, `(?i)(discord\.com/api/webhooks|hooks\.slack\.com/services|webhook\.site|outlook\.office\.com/webhook|outlook\.office365\.com/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh|smee\.io)`)
      )
    )
    $e1.principal.hostname = $hostname
    $e1.principal.user.userid = $user

  condition:
    $e1
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Forwarder for Windows endpoint telemetry Chronicle ingestion of proxy/DNS logs Sysmon forwarded via Chronicle agent

Required Tables

NETWORK_CONNECTION UDM events PROCESS_LAUNCH UDM events

False Positives

Automation scripts running under IT service accounts that post operational alerts to Slack or Microsoft Teams incoming webhooks for monitoring and alerting workflows.
Developers testing webhook integrations against sites like webhook.site or requestbin.com using curl or Python from their workstations during development and QA cycles.
Cloud-connected security tools (EDR agents, SIEM forwarders) using scripting runtimes to send telemetry or health data to webhook-style HTTP ingestion endpoints.

CrowdStrike LogScale (CQL)

cql

// Signal 1: Suspicious process DNS resolution or network connection to webhook domains
#event_simpleName IN ("DnsRequest", "NetworkConnectIP4", "NetworkConnectIP6")
| DomainName = /(?i)(discord\.com|discordapp\.com|hooks\.slack\.com|slack\.com|webhook\.site|webhooks\.site|outlook\.office\.com|outlook\.office365\.com|pipedream\.net|requestbin\.com|requestcatcher\.com|hookbin\.com|beeceptor\.com|smee\.io|ntfy\.sh|pushover\.net)/
  OR RemoteAddressIP4 = /(?i)(discord|slack|webhook|pipedream|ntfy)/
| ContextBaseFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|python3|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe|certutil\.exe)$/
| groupBy([ComputerName, UserName, ContextBaseFileName, DomainName], function=[
    count(aid, as=ConnectionCount),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| SignalType := "SuspiciousProcessWebhookDNS"

// Signal 2: Webhook URL pattern in process command line
// Run separately and union:
// #event_simpleName = "ProcessRollup2"
// | CommandLine = /(?i)(discord\.com\/api\/webhooks|hooks\.slack\.com\/services|webhook\.site|outlook\.office\.com\/webhook|outlook\.office365\.com\/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh|smee\.io)/
// | groupBy([ComputerName, UserName, FileName, CommandLine], function=[
//     count(aid, as=EventCount),
//     min(@timestamp, as=FirstSeen),
//     max(@timestamp, as=LastSeen)
//   ])
// | SignalType := "WebhookURLInCommandLine"

// Combined summary view after union:
| groupBy([ComputerName, UserName, ContextBaseFileName, SignalType], function=[
    sum(ConnectionCount, as=TotalConnections),
    min(FirstSeen, as=EarliestSeen),
    max(LastSeen, as=LatestSeen),
    collect(DomainName, as=WebhookTargets)
  ])
| TotalConnections > 0
| sort(TotalConnections, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Activity Monitor CrowdStrike Falcon DNS telemetry (DnsRequest events) CrowdStrike Falcon network telemetry (NetworkConnectIP4/IP6) CrowdStrike Falcon process telemetry (ProcessRollup2)

Required Tables

DnsRequest NetworkConnectIP4 NetworkConnectIP6 ProcessRollup2

False Positives

Build automation agents (Jenkins, GitLab Runner) running under service accounts that use curl or Python to post CI/CD pipeline status notifications to Slack or Teams incoming webhooks.
Endpoint management or monitoring agents (Ansible, Chef, Puppet) executing scripts that include webhook.site or requestbin.com URLs for HTTP callback testing during configuration management tasks.
Incident response and threat hunting scripts executed by security analysts that query webhook delivery sites like smee.io or ntfy.sh to receive callback signals from test payloads.

Last updated: 2026-04-21 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1567.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.001Exfiltration to Code Repository T1567.002Exfiltration to Cloud Storage T1567.003Exfiltration to Text Storage Sites

Exfiltration Over Webhook

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Exfiltration

Popular Detections