Esc
Exfiltration Over Webhook - T1567.004
(ATT&CK® Technique)
Definition
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1567004["Exfiltration Over Webhook"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1567004 OffensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";
click T1567004 href "/offensive-technique/attack/T1567.004/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1567004["Exfiltration Over Webhook"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1567004["Exfiltration Over Webhook"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| May Isolate | T1567004["Exfiltration Over Webhook"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";