Detect Exfiltration Over Web Service in Google Chronicle
Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Canonical reference
- https://attack.mitre.org/techniques/T1567/
YARA-L Detection Query
rule t1567_exfiltration_over_web_service {
meta:
author = "Argus Detection Engineering"
description = "Detects exfiltration over web services (T1567) — connections from suspicious processes to known file-sharing, messaging, paste, tunnel, and cloud storage domains, or high-volume uploads from LOLBin processes."
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1567"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.network.direction = "OUTBOUND"
$e.principal.process.file.full_path != ""
// Match on known exfiltration domains OR cloud storage domains
(
re.regex($e.target.hostname, `(?i)(api\.telegram\.org|discord\.com|discordapp\.com|mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com|paste\.ee|pastebin\.com|hastebin\.com|rentry\.co|ghostbin\.com|privatbin\.net|ngrok\.io|ngrok-free\.app|serveo\.net)`) or
re.regex($e.target.hostname, `(?i)(content\.dropboxapi\.com|api\.dropboxapi\.com|www\.googleapis\.com|drive\.google\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.github\.com|gitlab\.com|bitbucket\.org|s3\.amazonaws\.com|storage\.googleapis\.com)`)
)
// Initiated by a suspicious upload-capable process
re.regex($e.principal.process.file.full_path, `(?i)(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)`)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1567 exfiltration over web services. Matches outbound network events where a known LOLBin or scripting process connects to file-sharing services (Mega, file.io, transfer.sh), messaging platforms (Telegram, Discord), paste sites (Pastebin, Hastebin), tunnel services (ngrok, Serveo), or cloud storage APIs (Dropbox, Google Drive, OneDrive, GitHub, S3). Uses UDM fields for process path, target hostname, and network direction.
Data Sources
Required Tables
False Positives & Tuning
- Automated CI/CD pipelines using Python or Node.js to deploy releases to GitHub releases, GitLab CI artifacts, or AWS S3 buckets as part of normal software delivery
- System administration scripts using curl or PowerShell to upload logs, diagnostics, or configuration snapshots to authorized cloud storage for troubleshooting
- End-user productivity applications such as the Slack desktop client or VS Code extensions that internally invoke curl or node to communicate with external APIs
Other platforms for T1567
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate file via Telegram Bot API (curl)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.
- Test 2Upload staged archive to file-sharing service (file.io)
Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.
- Test 3Exfiltrate data via Discord webhook (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.
- Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.
References (10)
- https://attack.mitre.org/techniques/T1567/
- https://blog.google/threat-analysis-group/iran-based-threats/
- https://www.welivesecurity.com/en/eset-research/oilrig-campaigns-2022-2023/
- https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
- https://www.bleepingcomputer.com/news/security/molerats-hackers-hide-new-espionage-attacks-behind-dropbox-and-facebook/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://www.microsoft.com/security/blog/2023/03/02/blackbyte-ransomware-group-reemerges-with-updated-tactics/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md
- https://www.malwarebytes.com/blog/news/2020/02/ngrok-abused-by-hackers-to-host-phishing-sites-and-for-data-exfiltration
Unlock Pro Content
Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.