Detect Exfiltration Over Webhook in Elastic Security
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.004 Exfiltration Over Webhook
- Canonical reference
- https://attack.mitre.org/techniques/T1567/004/
Elastic Detection Query
sequence by host.id, user.name with maxspan=10m
[network where event.type == "connection" and
(
dns.question.name : ("discord.com", "discordapp.com", "hooks.slack.com", "slack.com", "webhook.site", "webhooks.site", "outlook.office.com", "outlook.office365.com", "pipedream.net", "requestbin.com", "requestcatcher.com", "hookbin.com", "beeceptor.com", "smee.io", "ntfy.sh", "pushover.net") or
url.domain : ("discord.com", "discordapp.com", "hooks.slack.com", "webhook.site", "pipedream.net", "ntfy.sh") or
url.path : ("/api/webhooks/*", "/services/T*")
) and
process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "python.exe", "python3", "node.exe", "curl.exe", "wget.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "bitsadmin.exe", "certutil.exe")]
[network where event.type == "connection" and
(
dns.question.name : ("discord.com", "discordapp.com", "hooks.slack.com", "slack.com", "webhook.site", "webhooks.site", "outlook.office.com", "outlook.office365.com", "pipedream.net", "requestbin.com", "requestcatcher.com", "hookbin.com", "beeceptor.com", "smee.io", "ntfy.sh", "pushover.net") or
url.domain : ("discord.com", "discordapp.com", "hooks.slack.com", "webhook.site", "pipedream.net", "ntfy.sh")
) and network.bytes > 1048576]
/* Standalone rule for webhook URL patterns in process args */
/* any where event.category == "process" and event.type == "start" and
process.command_line : ("*discord.com/api/webhooks*", "*hooks.slack.com/services*", "*webhook.site*", "*outlook.office.com/webhook*", "*outlook.office365.com/webhook*", "*pipedream.net*", "*requestbin.com*", "*hookbin.com*", "*beeceptor.com*", "*ntfy.sh*", "*smee.io*") */Detects exfiltration over webhook endpoints by correlating suspicious process network connections to known webhook domains with large outbound transfers. A sequence match identifies a suspicious process (PowerShell, curl, Python, etc.) that connects to a webhook domain and then sends more than 1MB of data. A standalone process event rule (commented inline) also catches webhook URLs embedded directly in command-line arguments, covering staged manual POST exfiltration.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DevOps pipelines using curl or Python scripts to post build notifications or alerts to Slack or Teams webhooks as part of CI/CD workflows.
- Security tools and monitoring scripts (e.g., Ansible, Terraform) that post status updates to webhook endpoints as part of infrastructure automation.
- Developer workstations running Node.js or Python applications that legitimately integrate with Discord or Slack bots for chat notifications.
Other platforms for T1567.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate Data via Discord Webhook using PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection from powershell.exe to webhook.site on port 443. DeviceNetworkEvents: RemoteUrl containing webhook.site, InitiatingProcessFileName=powershell.exe, BytesSent > 0.
- Test 2Exfiltrate File Contents via curl to Webhook Endpoint
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe (echo/type) and curl.exe with CommandLine containing 'webhook.site' and '-X POST'. Sysmon Event ID 11: File Create for the staging file in %TEMP%. Sysmon Event ID 3: Network Connection from curl.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=curl.exe, RemoteUrl containing webhook.site.
- Test 3Python Requests Library Webhook Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'urllib.request', 'webhook.site', and 'POST'. Sysmon Event ID 3: Network Connection from python.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemoteUrl=webhook.site.
- Test 4Automated SaaS Webhook Exfiltration via Microsoft Teams Incoming Webhook
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'outlook.office.com/webhook'. Sysmon Event ID 3: Network Connection from powershell.exe to outlook.office.com on port 443. DeviceNetworkEvents: RemoteUrl containing /webhook/, InitiatingProcessFileName=powershell.exe.
References (11)
- https://attack.mitre.org/techniques/T1567/004/
- https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://blog.talosintelligence.com/collab-app-abuse/
- https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md
- https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/
- https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks
- https://www.redhat.com/en/topics/automation/what-is-a-webhook
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock Pro Content
Get the full detection package for T1567.004 including response playbook, investigation guide, and atomic red team tests.