Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Exfiltration/ T1567

T1567Exfiltration Over Web Service

T1567 — Exfiltration Over Web Service is a MITRE ATT&CK technique in the Exfiltration tactic. Clankerusecase tracks 68 detection use cases covering it and 46 threat-intel articles citing it.

Exfiltration
View on the matrix → Filter Detection Library MITRE official spec ↗
68Use cases
46Articles
4Sub-techniques
1Tactic

Sub-techniques (4)

T1567.004 · Exfiltration Over WebhookT1567.002 · Exfiltration to Cloud StorageT1567.001 · Exfiltration to Code RepositoryT1567.003 · Exfiltration to Text Storage Sites

Use cases covering this technique (68)

Application data exfiltration successful Internal actions · alerting DD [WEEKLY] Install-Triggered Registry Publish or Git Push (Supply-Chain Worm Self-Propagation) Internal actions · alerting DSPDDCSCW [WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes Internal actions · alerting DSPDD [WEEKLY] npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) Internal install · alerting DSPDD [WEEKLY] Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) Internal install · alerting DSPDD [WEEKLY] Package-Manager Install -> Interpreter Child -> Non-Registry Egress Within 5 Minutes Internal install · alerting DSPDD [WEEKLY] Package-manager install-time interpreter spawn with credential-file read and outbound egress within 120s Internal install · alerting DSPDD [WEEKLY] Supply-chain repo credential theft → outbound exfil to attacker infra Internal actions · alerting DSPDD O365 DLP Rule Triggered ESCU actions · hunting P O365 Email Access By Security Administrator ESCU actions · alerting P O365 Exfiltration via File Access ESCU actions · hunting P O365 Exfiltration via File Download ESCU actions · hunting P O365 Exfiltration via File Sync Download ESCU actions · hunting P Linux Gdrive Binary Activity ESCU actions · alerting P LOLBAS With Network Traffic ESCU actions · alerting P Windows Gdrive Binary Activity ESCU actions · alerting P Cisco TFTP Server Configuration for Data Exfiltration ESCU actions · alerting P High Volume of Bytes Out to Url ESCU actions · hunting P [LLM] Shai-Hulud worm exfil — outbound to webhook.site/bb8ca5f6 from developer or CI process Bespoke c2 · alerting DSΣPDDCS [LLM] Agentjacking C2/exfiltration to advisory-tracker.com (Tenet Sentry-MCP attack) Bespoke actions · alerting DSΣPDDCS [LLM] AI-agent-driven mailbox auto-forwards messages to first-time-seen external recipient Bespoke actions · alerting DSPDD [LLM] Bun runtime egress to npm/PyPI publish endpoints or attacker-controlled GitHub repos Bespoke c2 · hunting DSΣPDDCS [LLM] npm/node install-time process beaconing to webhook.site, sfrclak.com or 142.11.206.73 Bespoke c2 · alerting DSΣPDDCS [LLM] build.rs invoking curl POST to Sentry envelope endpoint with code diff payload Bespoke actions · alerting DSΣPDDCS [LLM] Network egress to onering Sentry exfil ingest domain or project envelope path Bespoke c2 · alerting DSΣPDDCS [LLM] WinSCP or Rclone exfiltration from end-user workstations Bespoke actions · hunting DSΣPDDCS [LLM] Outbound mail to or domain lookup of business-data-leaks[.]com (UNC3753 extortion infrastructure) Bespoke c2 · alerting DSΣPDDCS [LLM] Smart-TV / mobile device acting as residential proxy exit node (high-fan-out HTTPS to unrelated public destinations) Bespoke actions · hunting DSP [LLM] GitHub Actions runner: node from Claude Code Action egresses to non-Anthropic/non-GitHub endpoint Bespoke c2 · hunting DSPDDCS [LLM] Mini Shai-Hulud npm worm exfiltration to t.m-kosche.com OpenTelemetry endpoint Bespoke actions · alerting DSΣPDDCS [LLM] Mini Shai-Hulud npm worm exfil to filev2.getsession.org Bespoke actions · alerting DSPDDCS [LLM] postmark-mcp BCC exfil to giftshop.club Bespoke actions · alerting DSΣPDDCS [LLM] DNS/HTTPS exfil to sentry.anyclaw.store (Codex token C2 masquerading as Sentry) Bespoke c2 · alerting DSΣPDDCS [LLM] Mini Shai-Hulud npm worm C2/exfil egress (masscan.cloud, git-tanstack.com, getsession.org) Bespoke actions · alerting DSΣPDDCS [LLM] Megalodon CI/CD exfil: outbound HTTPS to C2 216.126.225.129:8443 Bespoke c2 · hunting DSΣPDDCS [LLM] DNS / Network egress to TeamPCP Nx Console C2 domain check.git-service.com Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound C2 to t.m-kosche.com from CI/CD runner or any endpoint Bespoke c2 · alerting DSΣPDDCS [LLM] Mini Shai-Hulud GitHub dead-drop exfiltration via python-requests/2.31.0 Bespoke actions · hunting DSΣPDDCS [LLM] Arcane backend host outbound Git/HTTPS to non-allowlisted host on port 22/443 (CVE-2026-45625 credential sink) Bespoke c2 · hunting DSPDDCS [LLM] Mini Shai-Hulud npm Worm C2 callback to Session Protocol CDN and masscan.cloud Bespoke c2 · alerting DSΣPDDCS [LLM] Shai-Hulud style repository poisoning — .claude/router_runtime.js drop Bespoke actions · alerting DSΣPDD [LLM] Mini Shai-Hulud 'OhNoWhatsGoingOnWithGitHub' dead-drop keyword in outbound URL Bespoke c2 · alerting DSΣPDD [LLM] Svix Ingest webhook exfiltration relay (src_3387PLMB2uhXOBe3Q8sHu) Bespoke exfiltration · alerting DSΣPDDCS [LLM] Mini Shai-Hulud post-compromise persistence artifacts in .claude/, .vscode/, .github/workflows/ Bespoke actions · alerting DSΣPDD [LLM] Exfil to skyhanni.cloud C2 with X-Rise-To-The-Trinny header Bespoke c2 · alerting DSΣPDDCS [LLM] Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) Bespoke c2 · hunting DSPDDCS [LLM] Shai-Hulud preinstall: node/npm spawning git/curl/gh pushing to attacker repo or GitHub API Bespoke actions · hunting DSPDDCS [LLM] hackerbot-claw payload host: DNS/HTTP egress to hackmoltrepeat.com (C2 + exfil) Bespoke c2 · alerting DSΣPDDCS [LLM] hackerbot-claw token exfiltration: curl POST with GITHUB_TOKEN to recv.hackmoltrepeat.com Bespoke actions · alerting DSΣPDDCS [LLM] TeamPCP tpcp.tar.gz exfil POST signature on egress proxy / WAF Bespoke actions · alerting DSΣPDDCS [LLM] Trivy supply-chain C2 beacon to typosquat domain scan.aquasecurtiy.org Bespoke c2 · alerting DSΣPDD [LLM] DNS tunneling exfiltration pattern to *.t.opentensor-cdn.com (hex chunk/index/total/session) Bespoke c2 · alerting DSΣPDD [LLM] C2 beaconing to Vercel-hosted Cloudflare-impersonating domains (cloudflareguard / cloudflareinsights) Bespoke c2 · alerting DSΣPDD [LLM] Outbound traffic to *.oastify.com (BurpSuite Collaborator) from corporate endpoint Bespoke exfiltration · alerting DSΣPDDCS [LLM] CI runner anomalous outbound to raw.githubusercontent.com / gist.githubusercontent.com Bespoke c2 · alerting DSPDDCS [LLM] Egress to Qix npm phishing/exfil infrastructure (npmjs.help, publicvm.com, BunnyCDN buckets) Bespoke c2 · hunting DSΣPDDCS [LLM] APT28 MacroMaze: Edge launched off-screen or headless to webhook.site by non-browser parent Bespoke c2 · alerting DSΣP [LLM] GhostChat C2 beacon URL pattern: hitpak.org/page.php?tynor=<host>sss<user> Bespoke exfil · alerting DSΣPDDCS [LLM] Shai-Hulud 3.0 'Goldox-T3chs' GitHub exfiltration marker observed Bespoke actions · alerting DSΣPDDCS [LLM] Outbound exfiltration to webhook.site from npm / node / bun process tree Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound exfiltration to Shai-Hulud webhook.site/bb8ca5f6 C2 endpoint Bespoke c2 · alerting DSΣPDD [LLM] Outbound email BCC'd to giftshop.club exfil domain (postmark-mcp backdoor) Bespoke actions · alerting DSΣPDD [LLM] DNS or HTTP egress to giftshop.club exfil domain Bespoke c2 · alerting DSΣPDDCS [LLM] GhostAction curl/wget POST of CI/CD secret token to Plesk endpoint Bespoke actions · alerting DSΣPDDCS [LLM] Shai-Hulud worm C2 exfiltration to webhook.site UUID bb8ca5f6 Bespoke c2 · alerting DSΣPDDCS [LLM] Egress to websocket-api2.publicvm.com (Qix campaign credential exfil C2) Bespoke c2 · alerting DSΣPDDCS [LLM] CI/CD Linux build host outbound to gist.githubusercontent.com (tj-actions IOC pattern) Bespoke c2 · alerting DSΣPDD [LLM] CI/CD runner outbound to gist.githubusercontent.com (tj-actions CVE-2025-30066 staging fetch) Bespoke c2 · alerting DSΣPDDCS

Articles citing this technique (46)

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files art-45
high npm v12 delivers one of the biggest security improvements in years art-46
crit Compromised Rust crate onering performs code exfiltration art-66
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
high Securing CI/CD in an agentic world: Claude Code Github action case art-117
crit [GHSA / CRITICAL] GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi art-123
high What MDM can't protect on developer machines (and what to do about it) art-186
high Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens art-194
high Why developer machines are now the number one target for supply chain attacks art-208
high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
med actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials art-268
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
crit [GHSA / CRITICAL] CVE-2026-45625: Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltra art-274
crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343
crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
crit GopherWhisper: A burrow full of malware art-362
high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity art-395
high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403
crit Popular telnyx package compromised on PyPI by TeamPCP art-425
high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430
crit bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys art-431
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
crit Sednit reloaded: Back in the trenches art-477
high How “Clinejection” Turned an AI Bot into a Supply Chain Attack art-521
high 10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making art-536
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
med Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan art-593
high The Holiday Whisper: Shai-Hulud 3.0 art-635
high SHA1-Hulud, npm supply chain incident art-686
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
high Malicious MCP Server on npm postmark-mcp Harvests Emails art-776
high GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows art-785
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners art-795
crit When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the tj-actions Supply Chain Breach art-815