EXPLORE
Sign In
← Back to Explore
T1530

Data from Cloud Storage

Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary us...

IaaSOffice SuiteSaaS
32
Detections
3
Sources
5
Threat Actors

BY SOURCE

21elastic10splunk_escu1kql

PROCEDURES (24)

Cloud2 detections

Auto-extracted: 2 detections for cloud

Cloud2 detections

Auto-extracted: 2 detections for cloud

Service2 detections

Auto-extracted: 2 detections for service

Service2 detections

Auto-extracted: 2 detections for service

Azure2 detections

Auto-extracted: 2 detections for azure

Credential2 detections

Auto-extracted: 2 detections for credential

Azure1 detections

Auto-extracted: 1 detections for azure

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Download1 detections

Auto-extracted: 1 detections for download

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Service1 detections

Auto-extracted: 1 detections for service

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Token1 detections

Auto-extracted: 1 detections for token

Azure1 detections

Auto-extracted: 1 detections for azure

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

Token1 detections

Auto-extracted: 1 detections for token

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

THREAT ACTORS (5)

APT42Fox KittenHAFNIUMScattered SpiderStorm-0501

DETECTIONS (32)

AWS API Activity from Uncommon S3 Client by Rare User
elasticlow
AWS CloudTrail Log Created
elasticlow
AWS CloudTrail Log Updated
elasticlow
AWS DynamoDB Scan by Unusual User
elasticlow
AWS EC2 Export Task
elasticmedium
AWS S3 Bucket Enumeration or Brute Force
elasticlow
AWS S3 Bucket Policy Added to Allow Public Access
elasticmedium
AWS S3 Bucket Policy Added to Share with External Account
elasticmedium
AWS S3 Credential File Retrieved from Bucket
elasticmedium
AWS S3 Rapid Bucket Posture API Calls from a Single Principal
elasticlow
AWS S3 Unauthenticated Bucket Access by Rare Source
elasticmedium
AWS SNS Rare Protocol Subscription by User
elasticlow
Azure Storage Account Blob Public Access Enabled
elasticmedium
Azure Storage Blob Retrieval via AzCopy
elasticmedium
Cisco ASA - Device File Copy Activity
splunk_escu
Detect GCP Storage access from a new IP
splunk_escu
Detect New Open GCP Storage Buckets
splunk_escu
Detect New Open S3 buckets
splunk_escu
Detect New Open S3 Buckets over AWS CLI
splunk_escu
Detect S3 access from a new IP
splunk_escu
Detect Spike in S3 Bucket deletion
splunk_escu
GCP Pub/Sub Subscription Creation
elasticlow
GCP Pub/Sub Topic Creation
elasticlow
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
elastichigh
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
elasticmedium
M365 OneDrive/SharePoint Excessive File Downloads
elasticmedium
M365 SharePoint Search for Sensitive Content
elasticlow
M365 SharePoint/OneDrive File Access via PowerShell
elasticmedium
O365 Exfiltration via File Access
splunk_escu
O365 Exfiltration via File Download
splunk_escu
O365 Exfiltration via File Sync Download
splunk_escu
OneDrive Sync From Rare IP
kql