T1567: T1567

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 09/03/2020 13:51 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1567
Confidence: 100/100
Revoked: No
Published: 09/03/2020 13:51
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Exfiltration Over Web Service

Platforms

windows macos linux ESXi Office Suite SaaS

Description

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

mitre-attack (T1567)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

TargetCompany uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6040, UNC6395 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6508 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moonstone Sleet uses Storm-1789

The MITRE Corporation Confidence 100

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032),…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Savvy Seahorse uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
everest uses

AlienVault Confidence 100

Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC961 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LilacSquid uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BianLian uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 59

LazyStealer uses
Third Eye Remote Control uses
BigSquatRAT uses

Family
OtterCookie uses

Family
Drinik uses
Cheerscrypt ransomware uses
Raccoon Stealer uses

Family
Remus uses

Family
ExByte uses

Family
Aisuru uses

Family
BlackCat - S1068 uses

Family
OilCheck uses

← Previous

Page / 7

1–12 of 77

Prinz Eugen ransomware: a deep dive into a … related

AlienVault Confidence 100 17 MITREs 1 Malware 16 IOCs 14 Observables 1 APT
Detecting the Klue supply chain attack in Salesforce … related

AlienVault Confidence 100 13 MITREs 3 IOCs 3 Observables 1 APT
Threat Actors Weaponizing RAR Archives to Target Thailand's … related

AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
Klue Integration Abused in Salesforce Data Theft | … related

AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
From emerging threat to top-tier ransomware-as-a-service: The evolution … related

AlienVault Confidence 100 4 CVEs 19 MITREs 4 Malwares 25 IOCs 25 Observables 1 APT
Attackers Weaponize Microsoft Teams Relays to Stay Hidden related

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
Public and Private Medical Community Targeted by Threat … related

12 MITREs 1 Malware 8 Observables 1 APT
Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Popular node-ipc npm Package Infected with Credential Stealer related

AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Copycat hits another npm package related

AlienVault Confidence 100 19 MITREs 1 Malware 3 IOCs 3 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (86)

CVE-2023-36884 KEV targets

7.5 High

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …

Attack vector: Network
Published: 17/07/2023
Modified: 27/05/2026

CVE-2024-41713 KEV targets

9.1 Critical

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker …

Attack vector: Network
Published: 07/01/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-1389 KEV targets

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2017-10271 KEV targets

7.5 High

Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 19/10/2017
Modified: 22/04/2026

CWE-306

CVE-2026-1102 targets

5.3 Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2025-13928 targets

7.5 High

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2023-27532 KEV targets

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

CVE-2022-0074 targets

8.8 High

Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from …

Attack vector: NETWORK
Published: 27/10/2022
Modified: 21/12/2025

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2022-27666 targets

CVE-2024-43093 KEV targets

7.3 High

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due …

Attack vector: Local
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

← Previous

Page / 8

1–12 of 86

T1567.002 subtechnique-of

Exfiltration to Cloud Storage MITRE

Campaign (1)

APT28 Nearest Neighbor Campaign uses

Contact About Legal notice Privacy policy Terms of use

T1567: T1567

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (59)

Malware (77)

Reports (50)

Vulnerabilities (CVE) (86)

Attack patterns (MITRE) (1)

Campaign (1)