Detect Exfiltration Over Webhook in Google Chronicle
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.004 Exfiltration Over Webhook
- Canonical reference
- https://attack.mitre.org/techniques/T1567/004/
YARA-L Detection Query
rule exfiltration_over_webhook_t1567_004 {
meta:
author = "Argus Detection Engineering"
description = "Detects exfiltration over webhook endpoints. Matches suspicious processes making network connections to known webhook domains, large outbound transfers to webhook URLs, and webhook URLs embedded in process command lines."
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1567.004"
mitre_attack_url = "https://attack.mitre.org/techniques/T1567/004/"
severity = "HIGH"
priority = "HIGH"
events:
(
// Signal 1: Suspicious process network connection to webhook domain
(
$e1.metadata.event_type = "NETWORK_CONNECTION"
and (
re.regex($e1.target.hostname, `(?i)(discord\.com|discordapp\.com|hooks\.slack\.com|slack\.com|webhook\.site|webhooks\.site|outlook\.office\.com|outlook\.office365\.com|pipedream\.net|requestbin\.com|requestcatcher\.com|hookbin\.com|beeceptor\.com|smee\.io|ntfy\.sh|pushover\.net)`) or
re.regex($e1.network.http.request_url, `(?i)(/api/webhooks/\d+/|/services/T[A-Z0-9]+/)`)
)
and re.regex($e1.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|python3|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe|certutil\.exe)$`)
) or
// Signal 2: Large outbound transfer to webhook domain (any process)
(
$e1.metadata.event_type = "NETWORK_CONNECTION"
and (
re.regex($e1.target.hostname, `(?i)(discord\.com|discordapp\.com|hooks\.slack\.com|webhook\.site|webhooks\.site|outlook\.office\.com|outlook\.office365\.com|pipedream\.net|requestbin\.com|hookbin\.com|ntfy\.sh)`)
)
and $e1.network.sent_bytes > 1048576
) or
// Signal 3: Webhook URL in process command line
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.target.process.command_line, `(?i)(discord\.com/api/webhooks|hooks\.slack\.com/services|webhook\.site|outlook\.office\.com/webhook|outlook\.office365\.com/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh|smee\.io)`)
)
)
$e1.principal.hostname = $hostname
$e1.principal.user.userid = $user
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting exfiltration attempts over webhook endpoints using three complementary signals: (1) suspicious scripting/LOLBin processes initiating network connections to known webhook domains including Discord, Slack, Teams, webhook.site, ntfy.sh, and testing services; (2) any process sending more than 1MB to webhook endpoint domains indicating bulk data exfiltration; and (3) webhook URLs appearing directly in process command-line arguments indicating manual staged exfiltration via scripting tools. Matches across NETWORK_CONNECTION and PROCESS_LAUNCH UDM event types.
Data Sources
Required Tables
False Positives & Tuning
- Automation scripts running under IT service accounts that post operational alerts to Slack or Microsoft Teams incoming webhooks for monitoring and alerting workflows.
- Developers testing webhook integrations against sites like webhook.site or requestbin.com using curl or Python from their workstations during development and QA cycles.
- Cloud-connected security tools (EDR agents, SIEM forwarders) using scripting runtimes to send telemetry or health data to webhook-style HTTP ingestion endpoints.
Other platforms for T1567.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate Data via Discord Webhook using PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection from powershell.exe to webhook.site on port 443. DeviceNetworkEvents: RemoteUrl containing webhook.site, InitiatingProcessFileName=powershell.exe, BytesSent > 0.
- Test 2Exfiltrate File Contents via curl to Webhook Endpoint
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe (echo/type) and curl.exe with CommandLine containing 'webhook.site' and '-X POST'. Sysmon Event ID 11: File Create for the staging file in %TEMP%. Sysmon Event ID 3: Network Connection from curl.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=curl.exe, RemoteUrl containing webhook.site.
- Test 3Python Requests Library Webhook Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'urllib.request', 'webhook.site', and 'POST'. Sysmon Event ID 3: Network Connection from python.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemoteUrl=webhook.site.
- Test 4Automated SaaS Webhook Exfiltration via Microsoft Teams Incoming Webhook
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'outlook.office.com/webhook'. Sysmon Event ID 3: Network Connection from powershell.exe to outlook.office.com on port 443. DeviceNetworkEvents: RemoteUrl containing /webhook/, InitiatingProcessFileName=powershell.exe.
References (11)
- https://attack.mitre.org/techniques/T1567/004/
- https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://blog.talosintelligence.com/collab-app-abuse/
- https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md
- https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/
- https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks
- https://www.redhat.com/en/topics/automation/what-is-a-webhook
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock Pro Content
Get the full detection package for T1567.004 including response playbook, investigation guide, and atomic red team tests.