Detect Exfiltration Over Web Service in Sumo Logic CSE
Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000).
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Canonical reference
- https://attack.mitre.org/techniques/T1567/
Sumo Detection Query
_sourceCategory=*sysmon* OR _sourceCategory=*windows* OR _sourceCategory=*endpoint*
| where EventCode = 3
| parse regex field=Image "(?<ProcessName>[^\\\\]+)$" nodrop
| toLowerCase ProcessName
| toLowerCase DestinationHostname
| where DestinationHostname matches "*api.telegram.org*"
OR DestinationHostname matches "*discord.com*"
OR DestinationHostname matches "*discordapp.com*"
OR DestinationHostname matches "*mega.co.nz*"
OR DestinationHostname matches "*mega.nz*"
OR DestinationHostname matches "*file.io*"
OR DestinationHostname matches "*transfer.sh*"
OR DestinationHostname matches "*gofile.io*"
OR DestinationHostname matches "*anonymfiles.com*"
OR DestinationHostname matches "*anonfiles.com*"
OR DestinationHostname matches "*ufile.io*"
OR DestinationHostname matches "*pixeldrain.com*"
OR DestinationHostname matches "*pastebin.com*"
OR DestinationHostname matches "*hastebin.com*"
OR DestinationHostname matches "*rentry.co*"
OR DestinationHostname matches "*paste.ee*"
OR DestinationHostname matches "*ghostbin.com*"
OR DestinationHostname matches "*privatbin.net*"
OR DestinationHostname matches "*ngrok.io*"
OR DestinationHostname matches "*ngrok-free.app*"
OR DestinationHostname matches "*serveo.net*"
OR DestinationHostname matches "*dropboxapi.com*"
OR DestinationHostname matches "*googleapis.com*"
OR DestinationHostname matches "*drive.google.com*"
OR DestinationHostname matches "*graph.microsoft.com*"
OR DestinationHostname matches "*onedrive.live.com*"
OR DestinationHostname matches "*api.github.com*"
OR DestinationHostname matches "*gitlab.com*"
OR DestinationHostname matches "*bitbucket.org*"
OR DestinationHostname matches "*s3.amazonaws.com*"
| eval ExfilCategory = if(DestinationHostname matches "*telegram*", "Messaging API - Telegram",
if(DestinationHostname matches "*discord*", "Messaging API - Discord",
if(DestinationHostname matches "*mega*" OR DestinationHostname matches "*file.io*" OR DestinationHostname matches "*transfer.sh*" OR DestinationHostname matches "*gofile*" OR DestinationHostname matches "*anonfiles*" OR DestinationHostname matches "*ufile*" OR DestinationHostname matches "*pixeldrain*", "File Sharing Service",
if(DestinationHostname matches "*pastebin*" OR DestinationHostname matches "*hastebin*" OR DestinationHostname matches "*rentry*" OR DestinationHostname matches "*paste.ee*" OR DestinationHostname matches "*ghostbin*" OR DestinationHostname matches "*privatbin*", "Paste/Text Storage",
if(DestinationHostname matches "*ngrok*" OR DestinationHostname matches "*serveo*", "Tunnel Service",
if(DestinationHostname matches "*dropbox*", "Cloud Storage - Dropbox",
if(DestinationHostname matches "*google*", "Cloud Storage - Google",
if(DestinationHostname matches "*microsoft*" OR DestinationHostname matches "*onedrive*", "Cloud Storage - Microsoft",
if(DestinationHostname matches "*github*" OR DestinationHostname matches "*gitlab*" OR DestinationHostname matches "*bitbucket*", "Code Repository",
if(DestinationHostname matches "*amazonaws*", "Cloud Storage - AWS", "Other"))))))))))
| eval SuspiciousProcess = if(ProcessName matches "*curl*" OR ProcessName matches "*wget*" OR ProcessName matches "*powershell*" OR ProcessName matches "*pwsh*" OR ProcessName matches "*python*" OR ProcessName matches "*node*" OR ProcessName matches "*wscript*" OR ProcessName matches "*cscript*" OR ProcessName matches "*certutil*" OR ProcessName matches "*bitsadmin*", 1, 0)
| eval RiskLevel = if(SuspiciousProcess = 1 AND (ExfilCategory matches "*File Sharing*" OR ExfilCategory matches "*Paste*" OR ExfilCategory matches "*Tunnel*" OR ExfilCategory matches "*Messaging*"), "HIGH",
if(SuspiciousProcess = 0 AND (ExfilCategory matches "*File Sharing*" OR ExfilCategory matches "*Paste*" OR ExfilCategory matches "*Tunnel*"), "MEDIUM", "LOW"))
| stats count as ConnectionCount, values(DestinationHostname) as DestHostnames, earliest(_messageTime) as FirstSeen, latest(_messageTime) as LastSeen by _sourceHost, User, ProcessName, CommandLine, ExfilCategory, RiskLevel
| sort by RiskLevel, -ConnectionCountSumo Logic detection for T1567 exfiltration over web services using Sysmon Event ID 3 (network connections). Identifies outbound connections from endpoint processes to known file-sharing, messaging, paste, tunnel, and cloud storage services. Classifies risk based on whether a suspicious LOLBin process initiated the connection and the category of destination service.
Data Sources
Required Tables
False Positives & Tuning
- Software update mechanisms or package managers (npm, pip, composer) that legitimately fetch packages from GitHub, GitLab, or googleapis.com during build or install steps
- Collaboration tools running as background services that use Discord, Telegram bots, or webhook integrations for legitimate ChatOps or alerting purposes
- Backup or sync agents installed by IT (e.g., OneDrive client, Google Drive Sync) that generate high-frequency connections and large transfers to cloud storage APIs
Other platforms for T1567
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate file via Telegram Bot API (curl)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.telegram.org' and 'sendDocument'. Sysmon Event ID 3: Network Connection to api.telegram.org:443 (resolves to Telegram's IP range). Sysmon Event ID 11: File Create for exfil-test.txt in %TEMP%.
- Test 2Upload staged archive to file-sharing service (file.io)
Expected signal: Sysmon for Linux (if deployed) Event ID 11: File Create for exfil-staging.tar.gz in /tmp. Sysmon Event ID 3: Network connection to file.io:443. Auditd syscall events for open/write (archive creation) and connect (curl network call). Process accounting records for tar and curl executions.
- Test 3Exfiltrate data via Discord webhook (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full webhook POST script including the URL and payload body.
- Test 4Bulk data upload to cloud storage via Python requests (Google Drive simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com' and '/upload/drive/v3'. Sysmon Event ID 3: Network Connection to www.googleapis.com:443 from python.exe. BytesSent will reflect the ~51KB payload even on 401 response (data is transmitted before auth rejection). Security Event ID 4688 if command line auditing enabled.
References (10)
- https://attack.mitre.org/techniques/T1567/
- https://blog.google/threat-analysis-group/iran-based-threats/
- https://www.welivesecurity.com/en/eset-research/oilrig-campaigns-2022-2023/
- https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
- https://www.bleepingcomputer.com/news/security/molerats-hackers-hide-new-espionage-attacks-behind-dropbox-and-facebook/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://www.microsoft.com/security/blog/2023/03/02/blackbyte-ransomware-group-reemerges-with-updated-tactics/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md
- https://www.malwarebytes.com/blog/news/2020/02/ngrok-abused-by-hackers-to-host-phishing-sites-and-for-data-exfiltration
Unlock Pro Content
Get the full detection package for T1567 including response playbook, investigation guide, and atomic red team tests.