EXPLORE
Sign In
← Back to Explore
T1567.002

Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

ESXiLinuxmacOSWindows
27
Detections
3
Sources
24
Threat Actors

BY SOURCE

12sigma11elastic4splunk_escu

PROCEDURES (21)

Dns6 detections

Auto-extracted: 6 detections for dns

Unusual2 detections

Auto-extracted: 2 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Aws1 detections

Auto-extracted: 1 detections for aws

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

C21 detections

Auto-extracted: 1 detections for c2

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Download1 detections

Auto-extracted: 1 detections for download

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Download1 detections

Auto-extracted: 1 detections for download

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (24)

AkiraChimeraCinnamon TempestConfuciusContagious InterviewEarth LuscaEmber BearFIN7HAFNIUMHEXANEIndrik SpiderKimsukyLeviathanLuminousMothMedusa GroupMustang PandaPOLONIUMScattered SpiderStorm-0501Threat Group-3390ToddyCatTurlaWizard SpiderZIRCONIUM

DETECTIONS (27)

AWS API Activity from Uncommon S3 Client by Rare User
elasticlow
AWS DynamoDB Table Exported to S3
elasticlow
AWS EC2 Export Task
elasticmedium
AWS RDS Snapshot Export
elasticlow
AWS S3 Bucket Replicated to Another Account
elasticmedium
Azure Storage Blob Retrieval via AzCopy
elasticmedium
Cisco NVM - Rclone Execution With Network Activity
splunk_escu
Cisco Secure Firewall - Connection to File Sharing Domain
splunk_escu
Cisco Secure Firewall - Potential Data Exfiltration
splunk_escu
Connection to Commonly Abused Web Services
elasticlow
DNS Query for Anonfiles.com Domain - DNS Client
sigmahigh
DNS Query for Anonfiles.com Domain - Sysmon
sigmahigh
DNS Query To MEGA Hosting Website
sigmamedium
DNS Query To MEGA Hosting Website - DNS Client
sigmamedium
DNS Query To Ufile.io
sigmalow
DNS Query To Ufile.io - DNS Client
sigmalow
Gsuite Drive Share In External Email
splunk_escu
Network Connection Initiated To Mega.nz
sigmalow
Potential Data Exfiltration via Rclone
elasticmedium
Potential PowerShell HackTool Script by Function Names
elasticmedium
PUA - Rclone Execution
sigmahigh
PUA - Restic Backup Tool Execution
sigmahigh
Rclone Activity via Proxy
sigmamedium
Rclone Config File Creation
sigmamedium
Suspicious AWS S3 Connection via Script Interpreter
elasticmedium
Suspicious Dropbox API Usage
sigmahigh
Unusual Network Connection to Suspicious Web Service
elasticmedium