ATTACK-T1567.004Active

Exfiltration Over Webhook

Statement

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)

Location

Tactic: Exfiltration

Technique Details

Identifier: ATTACK-T1567.004
Parent Technique: ATTACK-T1567
ATT&CK Page: View on MITRE

Tactics

Exfiltration

Platforms

WindowsmacOSLinuxSaaSOffice SuiteESXi

Detection

Detection Strategy for Exfiltration Over Webhook

Mitigations

Data Loss Prevention: Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. (Citation: PurpleSec Data Loss Prevention) This mitigation can be implemented through the following measures:

Sensitive Data Categorization:

Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets).
Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.

Exfiltration Restrictions:

Use Case: Prevent unauthorized transmission of sensitive data.
Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.

Data-in-Transit Monitoring:

Use Case: Detect and prevent the transmission of sensitive data over unapproved channels.
Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.

Endpoint Data Protection:

Use Case: Monitor and control sensitive data usage on endpoints.
Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.

Cloud Data Security:

Use Case: Protect data stored in cloud platforms.
Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

No cross-framework mappings available

← Back to Exfiltration

Statement

Sensitive Data Categorization:

Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets).
Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.

Exfiltration Restrictions:

Use Case: Prevent unauthorized transmission of sensitive data.
Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.

Data-in-Transit Monitoring:

Use Case: Detect and prevent the transmission of sensitive data over unapproved channels.
Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.

Endpoint Data Protection:

Use Case: Monitor and control sensitive data usage on endpoints.
Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.

Cloud Data Security:

Use Case: Protect data stored in cloud platforms.
Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Exfiltration Over Webhook

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0

Exfiltration Over Webhook

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0