Exfiltration Over Web Service T1567
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Events covered
9 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Security-Auditing | Event ID 5156 | The Windows Filtering Platform has permitted a connection. |
| DNS-Client | Event ID 3008 | DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults. |
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Authoring guide
Patterns shared across the 39 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (22 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (313 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (128 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 21 rules
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Communication To Ngrok Tunneling Service Initiated
- DNS Query for Anonfiles.com Domain - DNS Client
- DNS Query for Anonfiles.com Domain - Sysmon
- DNS Query To MEGA Hosting Website
- DNS Query To MEGA Hosting Website - DNS Client
- DNS Query To Ufile.io
- DNS Query To Ufile.io - DNS Client
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- Network Connection Initiated To BTunnels Domains
- Network Connection Initiated To Cloudflared Tunnels Domains
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Potential Data Exfiltration Via Curl.EXE
- Process Initiated Network Connection To Ngrok Domain
- PUA - Rclone Execution
- PUA - Restic Backup Tool Execution
- Rclone Config File Creation
- Suspicious Dropbox API Usage
- Suspicious Non-Browser Network Communication With Telegram API
Elastic 4 rules
- Connection to Commonly Abused Web Services
- Potential Data Exfiltration via Rclone
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
Splunk 13 rules
- Data Exfiltration via AWS CLI - Windows (Sysmon)
- Data Exfiltration via AWS CLI - Windows (Windows Event Log)
- LOLBAS With Network Traffic
- Mega Utility Execution - Windows (Sysmon)
- Mega Utility Execution - Windows (Windows Event Log)
- Process Connection to Mega - Windows (Sysmon)
- Process Connection to Mega - Windows (Windows Event Log)
- Rclone Execution (PowerShell)
- Rclone Execution (Sysmon)
- Rclone Execution (Windows Event Log)
- Windows Azure Storage Utility Execution Via CLI
- Windows Gdrive Binary Activity
- Windows OneDrive Share Mounted via Net