Exfiltration Over Web Service T1567
Tactic: Exfiltration
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Events covered
12 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Security-Auditing | Event ID 5156 | The Windows Filtering Platform has permitted a connection. |
| ESF | exec | Process Execution (Notify) |
| DNS-Client | Event ID 3008 | DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults. |
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
| Sysmon-for-Linux | Event ID 1 | Process Create |
| Sysmon-for-Linux | Event ID 3 | Network connection |
Authoring guide
Patterns shared across the 153 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (185 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1362 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (187 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 29 rules
- APT40 Dropbox Tool User Agent
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated
- DNS Query for Anonfiles.com Domain - DNS Client
- DNS Query for Anonfiles.com Domain - Sysmon
- DNS Query To MEGA Hosting Website
- DNS Query To MEGA Hosting Website - DNS Client
- DNS Query To Ufile.io
- DNS Query To Ufile.io - DNS Client
- GitHub Repository Pages Site Changed to Public
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- macOS Cloud Storage Access Tools
- macOS Network Upload Activity
- Monero Crypto Coin Mining Pool Lookup
- Network Connection Initiated To BTunnels Domains
- Network Connection Initiated To Cloudflared Tunnels Domains
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Potential Data Exfiltration Via Curl.EXE
- Process Initiated Network Connection To Ngrok Domain
- PUA - Rclone Execution
- PUA - Restic Backup Tool Execution
- Rclone Activity via Proxy
- Rclone Config File Creation
- Suspicious Curl File Upload - Linux
- Suspicious Dropbox API Usage
- Suspicious Non-Browser Network Communication With Telegram API
Elastic 25 rules
- AWS API Activity from Uncommon S3 Client by Rare User
- AWS DynamoDB Scan by Unusual User
- AWS DynamoDB Table Exported to S3
- AWS EC2 Export Task
- AWS RDS Snapshot Export
- AWS S3 Bucket Replicated to Another Account
- AWS SNS Rare Protocol Subscription by User
- AWS SNS Topic Message Publish by Rare User
- Azure Storage Blob Retrieval via AzCopy
- Connection to Commonly Abused Web Services
- DNS to Commonly Abused Web Services
- GitHub Exfiltration via High Number of Repository Clones by User
- GitHub Private Repository Turned Public
- High Number of Closed Pull Requests by User
- High Number of Protected Branch Force Pushes by User
- M365 OneDrive/SharePoint Excessive File Downloads
- M365 Purview DLP Signal
- Network Connection to OAST Domain via Script Interpreter
- Potential Data Exfiltration via Rclone
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential PowerShell HackTool Script by Function Names
- Several Failed Protected Branch Force Pushes by User
- Suspicious AWS S3 Connection via Script Interpreter
- Unusual Network Connection to Suspicious Web Service
Splunk 25 rules
- Cisco NVM - Rclone Execution With Network Activity
- Cisco Secure Firewall - Connection to File Sharing Domain
- Cisco Secure Firewall - Potential Data Exfiltration
- Cisco TFTP Server Configuration for Data Exfiltration
- Data Exfiltration via AWS CLI - Windows (Sysmon)
- Data Exfiltration via AWS CLI - Windows (Windows Event Log)
- Gsuite Drive Share In External Email
- High Volume of Bytes Out to Url
- Linux Gdrive Binary Activity
- LOLBAS With Network Traffic
- Mega Utility Execution - Windows (Sysmon)
- Mega Utility Execution - Windows (Windows Event Log)
- O365 DLP Rule Triggered
- O365 Email Access By Security Administrator
- O365 Exfiltration via File Access
- O365 Exfiltration via File Download
- O365 Exfiltration via File Sync Download
- Process Connection to Mega - Windows (Sysmon)
- Process Connection to Mega - Windows (Windows Event Log)
- Rclone Execution (PowerShell)
- Rclone Execution (Sysmon)
- Rclone Execution (Windows Event Log)
- Windows Azure Storage Utility Execution Via CLI
- Windows Gdrive Binary Activity
- Windows OneDrive Share Mounted via Net
Kusto 37 rules
- AWS Security Hub - Detect SQS Queue policy allowing public access
- Bitglass - Multiple files shared with external entity
- Bitglass - Suspicious file uploads
- Cisco Cloud Security - URI contains IP address
- Cisco WSA - Unexpected uploads
- Corelight - Multiple Compressed Files Transferred over HTTP
- CreepyDrive request URL sequence
- CreepyDrive URLs
- Dataverse - Export activity from terminated or notified employee
- Dataverse - Guest user exfiltration following Power Platform defense impairment
- Dataverse - Honeypot instance activity
- Dataverse - Mass download from SharePoint document management
- Dataverse - Mass export of records to Excel
- Dataverse - SharePoint document management site added or updated
- Dataverse - Suspicious use of Web API
- Dataverse - Terminated employee exfiltration over email
- GCP Audit Logs - Storage Bucket Made Public
- Google DNS - Possible data exfiltration
- Insider Risk_Sensitive Data Access Outside Organizational Geo-location
- Linked Malicious Storage Artifacts
- Netskope - Anomalous User Behavior (High Volume from Unmanaged Device)
- Netskope - Data Movement Tracking (Upload/Download Monitoring)
- Netskope - Heavy Personal Cloud Storage Usage (Shadow IT)
- Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP)
- Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT)
- Power Automate - Departing employee flow activity
- Power Platform - Connector added to a sensitive environment
- Powershell Empire Cmdlets Executed in Command Line
- ProofpointPOD - Email sender in TI list
- ProofpointPOD - Email sender IP in TI list
- ProofpointPOD - Multiple archived attachments to the same recipient
- ProofpointPOD - Multiple large emails to the same recipient
- ProofpointPOD - Multiple protected emails to unknown recipient
- SlackAudit - Multiple archived files uploaded in short period of time
- SlackAudit - Public link created for file which can contain sensitive information.
- SonicWall - Allowed SSH, Telnet, and RDP Connections
- Web sites blocked by Eset
YARA-L 7 rules
- GCP BigQuery Results Downloaded From Multiple Tables
- Google Workspace File Shared From Google Drive To Free Email Domain
- Google Workspace Multiple Files Copied From Google Drive
- Google Workspace Multiple Files Downloaded From Google Drive
- Google Workspace Multiple Files Sent As Email Attachments From Google Drive
- Google Workspace Suspicious Login and Google Drive File Download
- Google Workspace Suspicious Login and Google Drive File Share
Panther 30 rules
- Anthropic Artifact Shared Publicly
- Anthropic MCP Server Created
- AppOmni Alert Passthrough
- AWS Network ACL Restricts Outbound Traffic
- AWS RDS Instance Public Access
- AWS RDS Instance Snapshot Public Access
- AWS S3 Bucket Policy Modified
- AWS Security Group Restricts Outbound Traffic
- AWS Security Group Restricts Traffic Leaving CDE
- AWS Security Group Tightly Restricts Outbound Traffic
- Azure Storage Account Public Network Access Enabled
- Azure Storage Blob Bulk Extraction
- Azure Storage Blob Container Permissions Modified
- Azure Storage SAS Token Access from External IP
- Azure VM Disk SAS URI Generated
- Box event triggered by unknown or external user
- Box Large Number of Downloads
- Box Shield Detected Anomalous Download Activity
- CodeBuild Project made Public
- Databricks Data Downloads From Control Plane
- DNS request to denylisted domain
- Dropbox Many Downloads
- GitHub Repository Visibility Change
- Google Workspace Many Docs Downloaded
- Salesforce API Anomaly Detection (RET Passthrough)
- Salesforce Bulk API Data Exfiltration
- Slack Enterprise Key Management Unenrolled
- Slack Microsoft Intune Mobile Device Management Disabled
- Slack Private Channel Made Public
- Snowflake User Daily Query Volume Spike