Detect Exfiltration Over Web Service in CrowdStrike LogScale
Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Canonical reference
- https://attack.mitre.org/techniques/T1567/
LogScale Detection Query
// T1567 - Exfiltration Over Web Service
// Branch 1: Known exfil/file-sharing domains contacted by suspicious processes
#event_simpleName = NetworkConnectIP4
| DestinationHostname = /(?i)(api\.telegram\.org|discord\.com|discordapp\.com|mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com|paste\.ee|pastebin\.com|hastebin\.com|rentry\.co|ghostbin\.com|privatbin\.net|ngrok\.io|ngrok-free\.app|serveo\.net|content\.dropboxapi\.com|api\.dropboxapi\.com|www\.googleapis\.com|drive\.google\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.github\.com|gitlab\.com|bitbucket\.org|s3\.amazonaws\.com|storage\.googleapis\.com)/
| ImageFileName = /(?i)(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)/
| ExfilCategory := case {
DestinationHostname = /telegram/, "Messaging API - Telegram" ;
DestinationHostname = /discord/, "Messaging API - Discord" ;
DestinationHostname = /(mega|file\.io|transfer\.sh|gofile|anonfiles|ufile|pixeldrain)/, "File Sharing Service" ;
DestinationHostname = /(pastebin|hastebin|rentry|paste\.ee|ghostbin|privatbin)/, "Paste/Text Storage" ;
DestinationHostname = /(ngrok|serveo)/, "Tunnel Service" ;
DestinationHostname = /dropbox/, "Cloud Storage - Dropbox" ;
DestinationHostname = /google/, "Cloud Storage - Google" ;
DestinationHostname = /(microsoft|onedrive)/, "Cloud Storage - Microsoft" ;
DestinationHostname = /(github|gitlab|bitbucket)/, "Code Repository" ;
DestinationHostname = /amazonaws/, "Cloud Storage - AWS" ;
* , "Other"
}
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, DestinationHostname, ExfilCategory], function=[count(as=ConnectionCount), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| sort(ConnectionCount, order=desc)CrowdStrike LogScale (Falcon) detection for T1567 exfiltration over web services. Uses NetworkConnectIP4 events to identify scripting engines and transfer utilities (curl, wget, PowerShell, Python, certutil, etc.) making outbound connections to known file-sharing, messaging, paste, tunnel, and cloud storage platforms. Groups results by host, user, process, and destination to surface exfiltration patterns and repeated connections.
Data Sources
Required Tables
False Positives & Tuning
- DevOps engineers running local scripts using curl or Python to interact with GitHub APIs for repository management, release automation, or CI integration
- Security teams using PowerShell or Python tooling to upload threat intelligence reports or IOC feeds to external platforms like VirusTotal, MISP, or sharing portals
- Corporate-sanctioned backup software built on Python or Node.js that periodically syncs file system contents to cloud storage providers (Google Drive, OneDrive, S3)
Other platforms for T1567
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate file via Telegram Bot API (curl)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.
- Test 2Upload staged archive to file-sharing service (file.io)
Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.
- Test 3Exfiltrate data via Discord webhook (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.
- Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.
References (10)
- https://attack.mitre.org/techniques/T1567/
- https://blog.google/threat-analysis-group/iran-based-threats/
- https://www.welivesecurity.com/en/eset-research/oilrig-campaigns-2022-2023/
- https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
- https://www.bleepingcomputer.com/news/security/molerats-hackers-hide-new-espionage-attacks-behind-dropbox-and-facebook/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://www.microsoft.com/security/blog/2023/03/02/blackbyte-ransomware-group-reemerges-with-updated-tactics/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md
- https://www.malwarebytes.com/blog/news/2020/02/ngrok-abused-by-hackers-to-host-phishing-sites-and-for-data-exfiltration
Unlock Pro Content
Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.