Which SIEM platforms have a T1567 detection rule?

df00tech provides T1567 (Exfiltration Over Web Service) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Exfiltration Over Web Service (T1567)?

Detecting Exfiltration Over Web Service requires the following data sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Microsoft Defender for Endpoint.

What severity and confidence is the T1567 detection?

The T1567 detection is rated high severity with medium confidence.

What are common false positives for T1567?

Common false positives for T1567 include: Developers legitimately pushing code to GitHub, GitLab, or Bitbucket from workstations — especially large repositories or LFS objects; IT automation scripts (SCCM, Intune, Ansible) uploading diagnostics or configuration files to cloud storage like OneDrive or S3; Employees using Telegram, Discord, or Slack Desktop apps to share work files — the initiating process may be a browser or Electron app.

T1567 IBM QRadar · QRadar

Detect Exfiltration Over Web Service in IBM QRadar

Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).

MITRE ATT&CK

Tactic: Exfiltration
Technique: T1567 Exfiltration Over Web Service
Canonical reference: https://attack.mitre.org/techniques/T1567/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  CATEGORYNAME(category) AS EventCategory,
  "sourceprocessname" AS ProcessName,
  "CommandLine" AS CommandLine,
  destinationhostname AS DestinationHostname,
  destinationip AS DestinationIP,
  destinationport AS DestinationPort,
  LONG("BytesSent") AS BytesSent,
  CASE
    WHEN destinationhostname MATCHES '(api\.telegram\.org)' THEN 'Messaging API - Telegram'
    WHEN destinationhostname MATCHES '(discord\.com|discordapp\.com)' THEN 'Messaging API - Discord'
    WHEN destinationhostname MATCHES '(mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com)' THEN 'File Sharing Service'
    WHEN destinationhostname MATCHES '(pastebin\.com|hastebin\.com|rentry\.co|paste\.ee|ghostbin\.com|privatbin\.net)' THEN 'Paste/Text Storage'
    WHEN destinationhostname MATCHES '(ngrok\.io|ngrok-free\.app|serveo\.net)' THEN 'Tunnel Service'
    WHEN destinationhostname MATCHES '(content\.dropboxapi\.com|api\.dropboxapi\.com)' THEN 'Cloud Storage - Dropbox'
    WHEN destinationhostname MATCHES '(www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com)' THEN 'Cloud Storage - Google'
    WHEN destinationhostname MATCHES '(graph\.microsoft\.com|onedrive\.live\.com)' THEN 'Cloud Storage - Microsoft'
    WHEN destinationhostname MATCHES '(api\.github\.com|gitlab\.com|bitbucket\.org)' THEN 'Code Repository'
    WHEN destinationhostname MATCHES '(s3\.amazonaws\.com)' THEN 'Cloud Storage - AWS S3'
    ELSE 'Unknown'
  END AS ExfilCategory
FROM events
WHERE
  starttime > NOW() - 86400 SECONDS
  AND (
    destinationhostname MATCHES '(api\.telegram\.org|discord\.com|discordapp\.com|mega\.co\.nz|mega\.nz|file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com|pastebin\.com|hastebin\.com|rentry\.co|paste\.ee|ghostbin\.com|privatbin\.net|ngrok\.io|ngrok-free\.app|serveo\.net|content\.dropboxapi\.com|api\.dropboxapi\.com|www\.googleapis\.com|drive\.google\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.github\.com|gitlab\.com|bitbucket\.org|s3\.amazonaws\.com|storage\.googleapis\.com)'
    OR (
      "sourceprocessname" IMATCHES '(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)'
      AND LONG("BytesSent") > 1048576
    )
  )
ORDER BY starttime DESC

high severity medium confidence

QRadar AQL detection for T1567 exfiltration over web services. Queries network flow and endpoint events to identify connections from scripting/transfer utilities to known file-sharing, messaging, cloud storage, and tunnel services. Flags both domain-matched connections and high-volume (>1MB) transfers from LOLBin processes to any external destination.

Data Sources

QRadar Network Activity (flows)Sysmon via Windows Log SourceEndpoint event log sources

Required Tables

eventsflows

False Positives & Tuning

Authorized DevOps pipelines using curl or Python to push build artifacts to AWS S3 or Google Cloud Storage
Employees legitimately sharing large files via sanctioned OneDrive or Dropbox corporate accounts as part of normal business workflows
Security operations tooling (e.g., SOAR playbooks, threat intel scripts) that upload indicators or reports to external sharing platforms

Download portable Sigma rule (.yml)

Other platforms for T1567

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Exfiltrate file via Telegram Bot API (curl)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.
Test 2Upload staged archive to file-sharing service (file.io)
Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.
Test 3Exfiltrate data via Discord webhook (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.
Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Sub-techniques (4)

Related Techniques

T1567.001Exfiltration to Code Repository T1567.002Exfiltration to Cloud Storage T1567.003Exfiltration to Text Storage Sites T1567.004Exfiltration Over Webhook T1020Automated Exfiltration T1074.001Local Data Staging T1560.001Archive via Utility T1005Data from Local System T1041Exfiltration Over C2 Channel T1071.001Web Protocols T1102Web Service

Detect Exfiltration Over Web Service in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1567

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Related Techniques

Same Tactic: Exfiltration

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1567

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (4)

Related Techniques

Same Tactic: Exfiltration

Popular Detections

Get new detections in your inbox