| ID | Name |
|---|---|
| ATAGS-T1203.001 | Exfiltration to Code Repository |
| ATAGS-T1203.002 | Exfiltration to Cloud Storage |
| ATAGS-T1203.003 | Exfiltration to Text Storage Sites |
| ATAGS-T1203.004 | Exfiltration Over Webhook |
Threat Actors may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.