EXPLORE
Sign In
← Back to Explore
T1530

Data from Cloud Storage

Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary us...

IaaSOffice SuiteSaaS
30
Detections
2
Sources
5
Threat Actors

BY SOURCE

20elastic10splunk_escu

PROCEDURES (23)

Cloud3 detections

Auto-extracted: 3 detections for cloud

Credential2 detections

Auto-extracted: 2 detections for credential

Remote2 detections

Auto-extracted: 2 detections for remote

Service2 detections

Auto-extracted: 2 detections for service

Unusual2 detections

Auto-extracted: 2 detections for unusual

Azure2 detections

Auto-extracted: 2 detections for azure

Http1 detections

Auto-extracted: 1 detections for http

Download1 detections

Auto-extracted: 1 detections for download

Unusual1 detections

Auto-extracted: 1 detections for unusual

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Http1 detections

Auto-extracted: 1 detections for http

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Service1 detections

Auto-extracted: 1 detections for service

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Token1 detections

Auto-extracted: 1 detections for token

Azure1 detections

Auto-extracted: 1 detections for azure

Token1 detections

Auto-extracted: 1 detections for token

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (5)

APT42Fox KittenHAFNIUMScattered SpiderStorm-0501

DETECTIONS (30)

AWS API Activity from Uncommon S3 Client by Rare User
elasticlow
AWS CloudTrail Log Created
elasticlow
AWS CloudTrail Log Updated
elasticlow
AWS DynamoDB Scan by Unusual User
elasticlow
AWS EC2 Export Task
elasticmedium
AWS S3 Bucket Enumeration or Brute Force
elasticlow
AWS S3 Bucket Policy Added to Allow Public Access
elasticmedium
AWS S3 Bucket Policy Added to Share with External Account
elasticmedium
AWS S3 Rapid Bucket Posture API Calls from a Single Principal
elasticlow
AWS S3 Unauthenticated Bucket Access by Rare Source
elasticmedium
AWS SNS Rare Protocol Subscription by User
elasticlow
Azure Storage Account Blob Public Access Enabled
elasticmedium
Azure Storage Blob Retrieval via AzCopy
elasticmedium
Cisco ASA - Device File Copy Activity
splunk_escu
Detect GCP Storage access from a new IP
splunk_escu
Detect New Open GCP Storage Buckets
splunk_escu
Detect New Open S3 buckets
splunk_escu
Detect New Open S3 Buckets over AWS CLI
splunk_escu
Detect S3 access from a new IP
splunk_escu
Detect Spike in S3 Bucket deletion
splunk_escu
GCP Pub/Sub Subscription Creation
elasticlow
GCP Pub/Sub Topic Creation
elasticlow
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
elastichigh
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
elasticmedium
M365 OneDrive/SharePoint Excessive File Downloads
elasticmedium
M365 SharePoint Search for Sensitive Content
elasticlow
M365 SharePoint/OneDrive File Access via PowerShell
elasticmedium
O365 Exfiltration via File Access
splunk_escu
O365 Exfiltration via File Download
splunk_escu
O365 Exfiltration via File Sync Download
splunk_escu