Detect Exfiltration Over Web Service in Microsoft Sentinel
Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Canonical reference
- https://attack.mitre.org/techniques/T1567/
KQL Detection Query
let KnownExfilDomains = dynamic([
"api.telegram.org",
"discord.com",
"discordapp.com",
"mega.co.nz",
"mega.nz",
"file.io",
"transfer.sh",
"gofile.io",
"anonymfiles.com",
"anonfiles.com",
"ufile.io",
"pixeldrain.com",
"paste.ee",
"pastebin.com",
"hastebin.com",
"rentry.co",
"ghostbin.com",
"privatbin.net",
"ngrok.io",
"ngrok-free.app",
"serveo.net"
]);
let CloudStorageDomains = dynamic([
"content.dropboxapi.com",
"api.dropboxapi.com",
"www.googleapis.com",
"drive.google.com",
"graph.microsoft.com",
"onedrive.live.com",
"api.github.com",
"gitlab.com",
"bitbucket.org",
"s3.amazonaws.com",
"storage.googleapis.com"
]);
let SuspiciousUploadProcesses = dynamic([
"curl.exe", "curl", "wget", "wget.exe",
"powershell.exe", "pwsh.exe",
"python.exe", "python3", "python3.exe",
"node.exe", "node",
"wscript.exe", "cscript.exe",
"certutil.exe", "bitsadmin.exe"
]);
// Branch 1: Direct connections to known file-sharing / messaging exfil services
let DirectExfilConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (KnownExfilDomains) or RemoteIPType == "Public"
| where RemoteUrl has_any (KnownExfilDomains)
| extend ExfilCategory = case(
RemoteUrl has_any ("telegram"), "Messaging API",
RemoteUrl has_any ("discord"), "Messaging API",
RemoteUrl has_any ("mega", "file.io", "transfer.sh", "gofile", "anonymfiles", "anonfiles", "ufile", "pixeldrain"), "File Sharing",
RemoteUrl has_any ("pastebin", "hastebin", "rentry", "ghostbin", "paste.ee", "privatbin"), "Paste Site",
RemoteUrl has_any ("ngrok", "serveo"), "Tunnel Service",
"Other"
)
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName,
RemoteUrl, RemoteIP, RemotePort, BytesSent, BytesReceived,
ExfilCategory;
// Branch 2: High-volume uploads to cloud storage from unusual processes
let CloudStorageHighVolume = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (CloudStorageDomains)
| where InitiatingProcessFileName in~ (SuspiciousUploadProcesses)
| where BytesSent > 1048576 // > 1MB upload
| extend ExfilCategory = "Cloud Storage Upload"
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName,
RemoteUrl, RemoteIP, RemotePort, BytesSent, BytesReceived,
ExfilCategory;
// Branch 3: Aggregate large data sent to any single public IP from scripting engines
let AggregatedExfilAttempts = DeviceNetworkEvents
| where Timestamp > ago(1h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (SuspiciousUploadProcesses)
| summarize TotalBytesSent=sum(BytesSent), TotalBytesReceived=sum(BytesReceived),
ConnectionCount=count(), UniqueRemoteIPs=dcount(RemoteIP)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 1h)
| where TotalBytesSent > 10485760 // > 10MB total in 1 hour
| extend ExfilCategory = "Bulk Upload Detected"
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
TotalBytesSent, TotalBytesReceived, ConnectionCount, UniqueRemoteIPs,
ExfilCategory;
union DirectExfilConnections, CloudStorageHighVolume
| union (AggregatedExfilAttempts | extend RemoteUrl="", RemoteIP="", RemotePort=0, BytesSent=TotalBytesSent, BytesReceived=TotalBytesReceived)
| sort by Timestamp descDetects exfiltration over legitimate web services using Microsoft Defender for Endpoint DeviceNetworkEvents. Three-branch detection: (1) Direct connections from any process to known file-sharing, messaging API, paste site, or tunnel domains including Telegram, Discord, Mega, file.io, transfer.sh, pastebin, and ngrok. (2) High-volume uploads (>1MB) to cloud storage services (Google Drive, OneDrive, Dropbox, GitHub) initiated by scripting engines or command-line tools. (3) Aggregate bulk data transfer (>10MB in 1 hour) to public IPs from scripting processes. Uses BytesSent for upload volume correlation.
Data Sources
Required Tables
False Positives & Tuning
- Developers legitimately pushing code to GitHub, GitLab, or Bitbucket from workstations — especially large repositories or LFS objects
- IT automation scripts (SCCM, Intune, Ansible) uploading diagnostics or configuration files to cloud storage like OneDrive or S3
- Employees using Telegram, Discord, or Slack Desktop apps to share work files — the initiating process may be a browser or Electron app
- Backup agents uploading to cloud storage providers (Dropbox, OneDrive, Google Drive sync clients) which generate continuous high-volume traffic
- Security tools or monitoring agents sending telemetry to SaaS platforms with large payloads
Other platforms for T1567
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate file via Telegram Bot API (curl)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.
- Test 2Upload staged archive to file-sharing service (file.io)
Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.
- Test 3Exfiltrate data via Discord webhook (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.
- Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.
References (10)
- https://attack.mitre.org/techniques/T1567/
- https://blog.google/threat-analysis-group/iran-based-threats/
- https://www.welivesecurity.com/en/eset-research/oilrig-campaigns-2022-2023/
- https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
- https://www.bleepingcomputer.com/news/security/molerats-hackers-hide-new-espionage-attacks-behind-dropbox-and-facebook/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://www.microsoft.com/security/blog/2023/03/02/blackbyte-ransomware-group-reemerges-with-updated-tactics/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md
- https://www.malwarebytes.com/blog/news/2020/02/ngrok-abused-by-hackers-to-host-phishing-sites-and-for-data-exfiltration
Unlock Pro Content
Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.