- Tactics
- Exfiltration
- Platforms
- ESXi, Linux, macOS, Office Suite, SaaS, Windows
- Reference
- attack.mitre.org/techniques/T1567
Description
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Exfiltration tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1011 — Exfiltration Over Other Network Medium
- T1020 — Automated Exfiltration
- T1029 — Scheduled Transfer
- T1030 — Data Transfer Size Limits
- T1041 — Exfiltration Over C2 Channel
- T1048 — Exfiltration Over Alternative Protocol
- T1052 — Exfiltration Over Physical Medium
- T1537 — Transfer Data to Cloud Account