Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-WebhookAbuse-Exfiltration.

Upgrade to Pro
THREAT-WebhookAbuse-Exfiltration Splunk · SPL

Detect Data Exfiltration via Abused Chat/Collaboration Webhooks in Splunk

Adversaries and commodity malware increasingly exfiltrate collected data by POSTing it directly to a webhook URL belonging to a legitimate chat/collaboration platform (Discord, Slack, Microsoft Teams, Telegram Bot API) rather than to attacker-registered infrastructure. Because the destination is a trusted, widely-used SaaS domain (discord.com, hooks.slack.com, api.telegram.org, webhook.office.com), traffic blends with normal business or personal use and is rarely blocked by domain-category web filtering. Commodity infostealers (RedLine, Raccoon, and numerous Discord-webhook-based stealer builders sold on criminal forums) hardcode a webhook URL and POST harvested browser credentials, cookies, and system information as a JSON body immediately after collection. This differs from the HTTP-header-smuggling pattern already in this corpus (which hides data in header fields to evade body inspection) and from the cloud-storage rclone/AzCopy pattern (which uses dedicated sync tooling) by keying on two distinct signals: (1) an outbound POST request to a known webhook endpoint pattern (discord.com/api/webhooks/, hooks.slack.com/services/, api.telegram.org/bot) originating from a process that is not the platform's own client application, and (2) a JSON request body of unusual size or containing high-entropy/Base64-encoded content, since legitimate webhook integrations (CI/CD notifications, monitoring alerts) post small, low-entropy structured payloads.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=proxy OR index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
(
  DestinationHostname="*discord.com*" OR DestinationHostname="*discordapp.com*"
  OR DestinationHostname="*hooks.slack.com*" OR DestinationHostname="*api.telegram.org*"
  OR DestinationHostname="*webhook.office.com*"
)
NOT Image IN ("*\\Teams.exe", "*\\Slack.exe", "*\\Discord.exe")
| eval ThreatType="Exfil_WebhookAbuse"
| join type=left host, User
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*webhooks*" OR CommandLine="*hooks.slack*" OR CommandLine="*api.telegram.org*" OR CommandLine="*FromBase64String*")
    | rename CommandLine AS ScriptIndicatorCmd, _time AS ScriptTime
    | table host, User, ScriptIndicatorCmd, ScriptTime ]
| stats count AS PostCount, values(ScriptIndicatorCmd) AS ScriptIndicators, earliest(_time) AS FirstSeen, latest(_time) AS LastSeen
  BY host, User, DestinationHostname, Image
| eval RiskScore=if(PostCount > 5, 80, 60)
| sort - RiskScore, - PostCount
high severity medium confidence

SPL detection for webhook-based exfiltration. Monitors Sysmon network connection events (Event ID 3) for outbound traffic to known webhook domains that is not attributable to the platform's own client executable, then joins against process creation events (Event ID 1) referencing webhook URLs or Base64 encoding to corroborate script-driven exfiltration.

Data Sources

Sysmon via Windows Event LogWeb Proxy logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • CI/CD build agents posting status notifications to a Slack or Teams incoming webhook
  • Approved monitoring/alerting integrations posting to Discord or Slack webhooks
  • IT-sanctioned automation scripts relaying events to a team channel via webhook

Other platforms for THREAT-WebhookAbuse-Exfiltration


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Exfiltration of Collected Data via Webhook-Style POST

    Expected signal: Sysmon Event ID 1: powershell.exe with ConvertTo-Json/FromBase64String-style command line. Sysmon Event ID 3: powershell.exe connecting to 127.0.0.1:8080 with a URI path matching /api/webhooks/. Proxy/packet capture (if present) shows a JSON POST body.

  2. Test 2Linux curl Chunked Exfiltration via Simulated Slack Incoming Webhook

    Expected signal: auditd/Sysmon-for-Linux: execve records for curl and connect() calls to 127.0.0.1:8080 at ~1-second intervals, six POSTs with a URI path matching /services/.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-WebhookAbuse-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.