T1567 Splunk · SPL

Detect Exfiltration Over Web Service in Splunk

Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1567 Exfiltration Over Web Service
Canonical reference
https://attack.mitre.org/techniques/T1567/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval DestinationHostname=lower(DestinationHostname)
| eval Image=lower(Image)
| eval ExfilCategory=case(
    match(DestinationHostname, "api\.telegram\.org"), "Messaging API - Telegram",
    match(DestinationHostname, "(discord\.com|discordapp\.com)"), "Messaging API - Discord",
    match(DestinationHostname, "(mega\.co\.nz|mega\.nz)"), "File Sharing - Mega",
    match(DestinationHostname, "(file\.io|transfer\.sh|gofile\.io|anonymfiles\.com|anonfiles\.com|ufile\.io|pixeldrain\.com)"), "File Sharing Service",
    match(DestinationHostname, "(pastebin\.com|hastebin\.com|rentry\.co|paste\.ee|ghostbin\.com|privatbin\.net)"), "Paste/Text Storage Site",
    match(DestinationHostname, "(ngrok\.io|ngrok-free\.app|serveo\.net)"), "Tunnel Service",
    match(DestinationHostname, "(content\.dropboxapi\.com|api\.dropboxapi\.com)"), "Cloud Storage - Dropbox",
    match(DestinationHostname, "(www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com)"), "Cloud Storage - Google",
    match(DestinationHostname, "(graph\.microsoft\.com|onedrive\.live\.com)"), "Cloud Storage - Microsoft",
    match(DestinationHostname, "(api\.github\.com|gitlab\.com|bitbucket\.org)"), "Code Repository",
    1=1, null()
  )
| where isnotnull(ExfilCategory)
| eval SuspiciousProcess=if(
    match(Image, "(curl|wget|powershell|pwsh|python|node|wscript|cscript|certutil|bitsadmin)"),
    1, 0
  )
| eval HighRisk=if(SuspiciousProcess=1 AND match(ExfilCategory, "(File Sharing|Paste|Tunnel|Messaging)"), 1, 0)
| eval MediumRisk=if(SuspiciousProcess=0 AND match(ExfilCategory, "(File Sharing|Paste|Tunnel)"), 1, 0)
| eval RiskLevel=case(HighRisk=1, "HIGH", MediumRisk=1, "MEDIUM", 1=1, "LOW")
| stats count as ConnectionCount,
        values(DestinationHostname) as DestHostnames,
        values(DestinationPort) as DestPorts,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by host, User, Image, CommandLine, ExfilCategory, RiskLevel
| sort - RiskLevel, - ConnectionCount
| table _time, host, User, Image, CommandLine, ExfilCategory, RiskLevel, ConnectionCount, DestHostnames, DestPorts, FirstSeen, LastSeen
high severity medium confidence

Detects exfiltration over web services using Sysmon Event ID 3 (Network Connection) logs. Identifies outbound connections from any process to known file-sharing, cloud storage, messaging API, paste site, code repository, and tunnel service domains. Classifies each connection by exfiltration category (Messaging API, File Sharing, Paste Site, Cloud Storage, Tunnel Service, Code Repository) and assigns a risk level: HIGH for scripting engines/CLI tools connecting to high-risk categories (file sharing, paste sites, tunnels), MEDIUM for browser/unknown processes connecting to high-risk categories. Aggregates connection counts to identify sustained or bulk upload patterns.

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Developers legitimately committing large files to GitHub or GitLab repositories from command line git clients
  • Employees using messaging apps (Discord, Telegram Desktop) to share work files — initiating process will be the application binary
  • IT staff using curl or wget to upload diagnostic bundles to cloud storage for vendor support cases
  • Cloud sync agents (Dropbox, OneDrive client) generating continuous high-volume connections to cloud storage APIs
  • Security researchers or pentesters legitimately testing connectivity to public file-sharing sites from test systems
Download portable Sigma rule (.yml)

Other platforms for T1567

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate file via Telegram Bot API (curl)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.

  2. Test 2Upload staged archive to file-sharing service (file.io)

    Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.

  3. Test 3Exfiltrate data via Discord webhook (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.

  4. Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1567.001Exfiltration to Code RepositoryT1567.002Exfiltration to Cloud StorageT1567.003Exfiltration to Text Storage SitesT1567.004Exfiltration Over WebhookT1020Automated ExfiltrationT1074.001Local Data StagingT1560.001Archive via UtilityT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1071.001Web ProtocolsT1102Web Service

Same Tactic: Exfiltration

Popular Detections