EXPLORE
Sign In
← Back to Explore
T1537

Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the i...

IaaSOffice SuiteSaaS
26
Detections
3
Sources
3
Threat Actors

BY SOURCE

13elastic7splunk_escu6sigma

PROCEDURES (18)

Persist2 detections

Auto-extracted: 2 detections for persist

Cloud Monitoring2 detections

Auto-extracted: 2 detections for cloud monitoring

Cloud2 detections

Auto-extracted: 2 detections for cloud

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

C22 detections

Auto-extracted: 2 detections for c2

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Cloud2 detections

Auto-extracted: 2 detections for cloud

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Aws2 detections

Auto-extracted: 2 detections for aws

Tamper1 detections

Auto-extracted: 1 detections for tamper

Api1 detections

Auto-extracted: 1 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

C21 detections

Auto-extracted: 1 detections for c2

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (3)

INC RansomRedCurlStorm-0501

DETECTIONS (26)

ASL AWS EC2 Snapshot Shared Externally
splunk_escu
AWS AMI Attribute Modification for Exfiltration
splunk_escu
AWS EC2 AMI Shared with Another Account
elasticmedium
AWS EC2 EBS Snapshot Shared or Made Public
elasticmedium
AWS EC2 Export Task
elasticmedium
AWS EC2 Full Network Packet Capture Detected
elasticmedium
AWS EC2 Snapshot Shared Externally
splunk_escu
AWS EC2 VM Export Failure
sigmalow
AWS Exfiltration via Bucket Replication
splunk_escu
AWS Exfiltration via EC2 Snapshot
splunk_escu
AWS RDS DB Snapshot Shared with Another Account
elasticmedium
AWS S3 Bucket Policy Added to Allow Public Access
elasticmedium
AWS S3 Bucket Policy Added to Share with External Account
elasticmedium
AWS S3 Bucket Replicated to Another Account
elasticmedium
AWS S3 Data Management Tampering
sigmalow
AWS S3 Exfiltration Behavior Identified
splunk_escu
AWS Snapshot Backup Exfiltration
sigmamedium
Azure Blob Storage Container Access Level Modified
elasticlow
Data Exfiltration to Unsanctioned Apps
sigmamedium
GCP Logging Sink Modification
elasticlow
Github Fork Private Repositories Setting Enabled/Cleared
sigmamedium
Github Repository/Organization Transferred
sigmamedium
Google Workspace Drive Data Transfer or Takeout Export Initiated
elasticmedium
High Frequency Copy Of Files In Network Share
splunk_escu
M365 Exchange Mail Flow Transport Rule Created
elasticmedium
M365 Exchange Mail Flow Transport Rule Modified
elasticmedium