Esc
Exfiltration Over Web Service - T1567

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1567["Exfiltration Over Web Service"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1567 OffensiveTechniqueNode;
        class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";
        click T1567 href "/offensive-technique/attack/T1567/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic"; T1567["Exfiltration Over Web Service"] --> |may-produce| OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"]; class T1567 OffensiveTechniqueNode;
        class OutboundInternetEncryptedWebTraffic ArtifactNode; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";
        click T1567 href "/offensive-technique/attack/T1567/"; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic"; T1567["Exfiltration Over Web Service"] --> |produces| OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"]; class T1567 OffensiveTechniqueNode;
        class OutboundInternetEncryptedWebTraffic ArtifactNode; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";
        click T1567 href "/offensive-technique/attack/T1567/"; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic"; T1567["Exfiltration Over Web Service"] --> |may-produce| OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"]; class T1567 OffensiveTechniqueNode;
        class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode; click OutboundInternetEncryptedRemoteTerminalTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedRemoteTerminalTraffic";
        click T1567 href "/offensive-technique/attack/T1567/"; click OutboundInternetEncryptedRemoteTerminalTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedRemoteTerminalTraffic";                                                    ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";  ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis";  NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                             NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                                                Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";  Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                                                                                    PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";                                                      NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                                          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                                                                                       UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | May Detect | T1567["Exfiltration Over Web Service"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";  UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";                                                     NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | May Isolate | T1567["Exfiltration Over Web Service"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";  NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                                                     OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | May Isolate | T1567["Exfiltration Over Web Service"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";
json