# T1567 Exfiltration Over Web Service

-----------------------------------------------------------------------

## Technique Description

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

-----------------------------------------------------------------------

### Tactics:

  *   Exfiltration

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Command:** Command Execution

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Traffic Content

  * **File:** File Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) can exfiltrate data over Google Drive.(Citation: TrendMicro Pawn Storm Dec 2020) | 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1567)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 21 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Zachary Burke 

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla | 1 |  |

## Detection Blindspots

- This is primarily a network technique and operators should understand that detection will most likely come from a network analyst.

## Analytical References

- https://github.com/EmpireProject/Empire
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/waterbug-espionage-governments
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
- https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

-----------------------------------------------------------------------

## Host Analytics

### Hunter Notes

- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- User behavior monitoring may help to detect abnormal patterns of activity.

#### Analytic 1

  * **Information:** Network connections to popular online file shares.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Event code 3 = network connection

  * **Query:** ```event.code : 3 AND DestinationHostname : github or dropbox or onedrive or 4shared```
-----------------------------------------------------------------------



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------
#### Analytic 1

  * **Information:** N/A

  * **Source:** N/A

  * **Tool:** N/A

  * **Notes:** N/A

  * **Query:**: ```ip.dst != [10/8, 172.16/12, 192.168/16] && protocols == [smb, tls, http] && (host == [*github*,*4share*] || http.uri ==[*github*,*4share*])```