Detect Exfiltration Over Webhook in Splunk
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.004 Exfiltration Over Webhook
- Canonical reference
- https://attack.mitre.org/techniques/T1567/004/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=3))
| eval WebhookPattern=if(
match(lower(coalesce(CommandLine, DestinationHostname, """"),
"(discord\.com/api/webhooks|hooks\.slack\.com|webhook\.site|outlook\.office\.com/webhook|outlook\.office365\.com/webhook|pipedream\.net|requestbin\.com|hookbin\.com|beeceptor\.com|ntfy\.sh|smee\.io|requestcatcher\.com)"
), 1, 0)
| eval SuspiciousProcess=if(
match(lower(coalesce(Image, """"),
"(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)"
), 1, 0)
| eval IsNetworkEvent=if(EventCode=3, 1, 0)
| eval IsProcessEvent=if(EventCode=1, 1, 0)
| eval WebhookNetConn=if(IsNetworkEvent=1 AND WebhookPattern=1, 1, 0)
| eval WebhookCmdLine=if(IsProcessEvent=1 AND WebhookPattern=1, 1, 0)
| eval SuspiciousWebhookNet=if(WebhookNetConn=1 AND SuspiciousProcess=1, 1, 0)
| where WebhookPattern=1 OR SuspiciousWebhookNet=1
| eval SignalType=case(
SuspiciousWebhookNet=1, "SuspiciousProcessWebhookNetwork",
WebhookNetConn=1, "WebhookNetworkConnection",
WebhookCmdLine=1 AND SuspiciousProcess=1, "SuspiciousProcessWebhookCmdLine",
WebhookCmdLine=1, "WebhookCmdLine",
true(), "Other")
| eval TargetWebhook=coalesce(
if(match(lower(coalesce(CommandLine,"""")), "discord\.com"), "discord", null()),
if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "slack\.com"), "slack", null()),
if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "outlook\.office"), "teams", null()),
if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "webhook\.site"), "webhook.site", null()),
if(match(lower(coalesce(CommandLine,DestinationHostname,"""")), "pipedream\.net"), "pipedream", null()),
"other_webhook")
| stats
count as EventCount,
dc(SignalType) as UniqueSignals,
values(SignalType) as Signals,
values(TargetWebhook) as WebhookTargets,
values(CommandLine) as CommandLines,
earliest(_time) as FirstSeen,
latest(_time) as LastSeen
by host, User, Image
| where EventCount > 0
| eval Priority=case(UniqueSignals >= 2, "HIGH", UniqueSignals=1 AND mvcount(WebhookTargets) > 1, "HIGH", true(), "MEDIUM")
| sort - UniqueSignals EventCountDetects webhook-based exfiltration using Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection). Identifies processes whose command lines reference known webhook service URLs and network connections made by scripting engines or LOLBins to webhook domains. Assigns a SignalType classification and aggregates results per host/user/process to surface multi-signal detections. Priority field (HIGH/MEDIUM) is set when multiple signal types are present or when multiple distinct webhook services are targeted.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate DevOps and CI/CD pipelines posting build status notifications to Slack or Teams webhooks via scripts or pipeline agents
- IT monitoring and alerting tools (PagerDuty integrations, Grafana alerting, custom scripts) sending operational alerts to collaboration webhooks
- Developer workstations testing webhook integrations during application development, especially when using webhook.site or requestbin as debug targets
- Authorized security tools performing phishing simulations or red team exercises that post results to team notification webhooks
- Business automation scripts that legitimately transfer structured data to webhooks as part of workflow integrations
Other platforms for T1567.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate Data via Discord Webhook using PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection from powershell.exe to webhook.site on port 443. DeviceNetworkEvents: RemoteUrl containing webhook.site, InitiatingProcessFileName=powershell.exe, BytesSent > 0.
- Test 2Exfiltrate File Contents via curl to Webhook Endpoint
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe (echo/type) and curl.exe with CommandLine containing 'webhook.site' and '-X POST'. Sysmon Event ID 11: File Create for the staging file in %TEMP%. Sysmon Event ID 3: Network Connection from curl.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=curl.exe, RemoteUrl containing webhook.site.
- Test 3Python Requests Library Webhook Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'urllib.request', 'webhook.site', and 'POST'. Sysmon Event ID 3: Network Connection from python.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemoteUrl=webhook.site.
- Test 4Automated SaaS Webhook Exfiltration via Microsoft Teams Incoming Webhook
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'outlook.office.com/webhook'. Sysmon Event ID 3: Network Connection from powershell.exe to outlook.office.com on port 443. DeviceNetworkEvents: RemoteUrl containing /webhook/, InitiatingProcessFileName=powershell.exe.
References (11)
- https://attack.mitre.org/techniques/T1567/004/
- https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://blog.talosintelligence.com/collab-app-abuse/
- https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md
- https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/
- https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks
- https://www.redhat.com/en/topics/automation/what-is-a-webhook
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock Pro Content
Get the full detection package for T1567.004 including response playbook, investigation guide, and atomic red team tests.