Detect Exfiltration Over Web Service in Elastic Security
Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Canonical reference
- https://attack.mitre.org/techniques/T1567/
Elastic Detection Query
sequence by host.name, process.entity_id with maxspan=1h
[process where event.type == "start" and
process.name in~ ("curl", "curl.exe", "wget", "wget.exe", "powershell.exe", "pwsh.exe",
"python.exe", "python3", "python3.exe", "node.exe", "node",
"wscript.exe", "cscript.exe", "certutil.exe", "bitsadmin.exe")]
[network where event.type == "connection" and
network.direction == "egress" and
(
dns.question.name : (
"api.telegram.org", "discord.com", "discordapp.com",
"mega.co.nz", "mega.nz", "file.io", "transfer.sh", "gofile.io",
"anonymfiles.com", "anonfiles.com", "ufile.io", "pixeldrain.com",
"paste.ee", "pastebin.com", "hastebin.com", "rentry.co",
"ghostbin.com", "privatbin.net", "ngrok.io", "ngrok-free.app", "serveo.net",
"content.dropboxapi.com", "api.dropboxapi.com", "www.googleapis.com",
"drive.google.com", "graph.microsoft.com", "onedrive.live.com",
"api.github.com", "gitlab.com", "bitbucket.org",
"s3.amazonaws.com", "storage.googleapis.com"
) or
network.bytes_sent > 1048576
)
]Detects exfiltration over web services (T1567) by correlating suspicious scripting/transfer processes with outbound network connections to known file-sharing, messaging, paste, tunnel, and cloud storage services. Also catches high-volume data transfers from LOLBin processes. Covers Telegram, Discord, Mega, file.io, ngrok, Dropbox, Google Drive, OneDrive, GitHub, and S3.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developers using curl or wget to push artifacts to GitHub, GitLab, or S3 as part of CI/CD workflows
- IT administrators using PowerShell or Python scripts to back up data to OneDrive or Google Drive as part of authorized backup jobs
- Security tools or EDR agents that legitimately contact cloud APIs (e.g., CrowdStrike, Defender) may match on process name patterns if categorization is too broad
Other platforms for T1567
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate file via Telegram Bot API (curl)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.
- Test 2Upload staged archive to file-sharing service (file.io)
Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.
- Test 3Exfiltrate data via Discord webhook (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.
- Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.
References (10)
- https://attack.mitre.org/techniques/T1567/
- https://blog.google/threat-analysis-group/iran-based-threats/
- https://www.welivesecurity.com/en/eset-research/oilrig-campaigns-2022-2023/
- https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
- https://www.bleepingcomputer.com/news/security/molerats-hackers-hide-new-espionage-attacks-behind-dropbox-and-facebook/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://www.microsoft.com/security/blog/2023/03/02/blackbyte-ransomware-group-reemerges-with-updated-tactics/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md
- https://www.malwarebytes.com/blog/news/2020/02/ngrok-abused-by-hackers-to-host-phishing-sites-and-for-data-exfiltration
Unlock Pro Content
Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.