Exfiltration Over Web Service
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.
Observed actors
Correlated CTI and IR reports
Andrey Pautov · direct source mappingIranian State Actors Conduct Cyber Operations Against the Government of Albania
CISA · curated primary-source mappingCTI Research: LLM/AI/MCP Usage in the Cyber Kill Chain
1200km CTI repository · explicit report mentionCTI Research: LLM/AI/MCP Usage in the Cyber Kill Chain
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionCorrelation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mention