T1530

Data from Cloud Storage

Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.

Microsoft Sentinel / Defender

kusto

let MassDownloadThreshold = 50;
let BulkTimeWindow = 30m;
// Pattern 1: OneDrive/SharePoint mass file downloads (AADInternals, Scattered Spider pattern)
let OneDriveAlert = OfficeActivity
| where TimeGenerated > ago(24h)
| where OfficeWorkload in ("OneDrive", "SharePoint")
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed", "FileCopied")
| summarize
    FileCount = count(),
    UniqueFiles = dcount(SourceFileName),
    SiteUrls = make_set(SiteUrl, 5),
    Operations = make_set(Operation),
    UserAgentSample = take_any(UserAgent)
    by UserId, ClientIP, bin(TimeGenerated, BulkTimeWindow)
| where FileCount > MassDownloadThreshold
| extend
    AlertType = "OneDrive_MassDownload",
    Platform = "Microsoft365",
    Severity = iff(FileCount > 300, "High", "Medium"),
    Details = strcat(tostring(FileCount), " files from ", tostring(array_length(SiteUrls)), " site(s)")
| project TimeGenerated, UserId, ClientIP, AlertType, Platform, Severity,
          FileCount, UniqueFiles, Details, UserAgentSample;
// Pattern 2: Azure Blob Storage anonymous access or bulk download
let BlobAlert = StorageBlobLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("GetBlob", "ListBlobs", "ListBlobsHierarchySegment",
                          "GetBlobProperties", "GetContainerProperties")
| where StatusCode == 200
| extend IsAnonymous = toint(AuthenticationType =~ "Anonymous")
| summarize
    RequestCount = count(),
    TotalBytes = sum(tolong(ResponseBodySize)),
    UniqueObjects = dcount(Uri),
    AnonRequests = sum(IsAnonymous),
    OperationTypes = make_set(OperationName)
    by AccountName, CallerIpAddress, AuthenticationType, bin(TimeGenerated, BulkTimeWindow)
| where RequestCount > MassDownloadThreshold or AnonRequests > 0
| extend
    AlertType = iff(AnonRequests > 0, "AzureBlob_AnonymousAccess", "AzureBlob_BulkDownload"),
    Platform = "AzureStorage",
    Severity = iff(AnonRequests > 0 or TotalBytes > 1073741824, "High", "Medium"),
    Details = strcat(tostring(RequestCount), " requests, ", tostring(TotalBytes / 1048576), " MB transferred")
| project TimeGenerated, UserId=AccountName, ClientIP=CallerIpAddress,
          AlertType, Platform, Severity, FileCount=RequestCount,
          UniqueFiles=UniqueObjects, Details, UserAgentSample=AuthenticationType;
// Pattern 3: Azure Storage key listing or permission change (Storm-0501 exfil staging)
let StorageConfigAlert = AzureActivity
| where TimeGenerated > ago(24h)
| where ResourceProviderValue =~ "MICROSOFT.STORAGE"
| where OperationNameValue in (
    "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
    "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE",
    "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION",
    "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION"
    )
| where ActivityStatusValue =~ "Success"
| extend
    AlertType = "AzureStorage_SuspiciousConfigChange",
    Platform = "Azure",
    Severity = "High",
    Details = OperationNameValue
| project TimeGenerated, UserId=Caller, ClientIP=CallerIpAddress,
          AlertType, Platform, Severity, FileCount=int(null),
          UniqueFiles=int(null), Details, UserAgentSample="AzureRM";
// Union all patterns
union kind=outer OneDriveAlert, BlobAlert, StorageConfigAlert
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Storage: Cloud Storage Access Application Log: Application Log Content Microsoft 365 Unified Audit Logs Azure Storage Diagnostic Logs Azure Activity Logs

Required Tables

OfficeActivity StorageBlobLogs AzureActivity

False Positives

Backup and migration tools (ShareGate, AvePoint, Metalogix) performing scheduled bulk downloads of SharePoint or OneDrive content during off-hours maintenance windows
Microsoft Purview eDiscovery operations and DLP scanning agents accessing large volumes of OneDrive files for compliance indexing or legal hold processing
Azure Blob containers legitimately configured for anonymous public access as static website hosting origins or CDN source buckets — anonymous access is expected and intended
Infrastructure-as-code pipelines (Terraform, Bicep, ARM templates) performing storage account writes and key listing operations during normal cloud provisioning and rotation workflows
Developers and DevOps engineers performing bulk blob downloads from development or staging storage accounts using Azure CLI, Azure Storage Explorer, or SDK tooling

Splunk

spl

((index=aws sourcetype=aws:cloudtrail eventSource="s3.amazonaws.com"
  (eventName="GetObject" OR eventName="ListBucket" OR eventName="ListObjects"
   OR eventName="ListObjectsV2" OR eventName="GetBucketAcl" OR eventName="GetBucketPolicy"
   OR eventName="GetBucketPublicAccessBlock"))
OR
 (index=o365 sourcetype=o365:management:activity
  (Workload="OneDrive" OR Workload="SharePoint")
  (Operation="FileDownloaded" OR Operation="FileSyncDownloadedFull"
   OR Operation="FileAccessed" OR Operation="FileCopied")))
| eval Platform=case(
    sourcetype="aws:cloudtrail", "AWS_S3",
    sourcetype="o365:management:activity", "Microsoft365",
    true(), "Unknown")
| eval BucketOrSite=coalesce('requestParameters.bucketName', SiteUrl, "unknown")
| eval ObjectKey=coalesce('requestParameters.key', SourceFileName, "unknown")
| eval ActorIdentity=coalesce('userIdentity.arn', 'userIdentity.userName', UserId, "unknown")
| eval SourceIP=coalesce(sourceIPAddress, ClientIP, "unknown")
| eval IsAnonymous=case(
    'userIdentity.type'="Anonymous", 1,
    'userIdentity.principalId'="anonymous", 1,
    true(), 0)
| eval IsListOp=if(eventName IN ("ListBucket","ListObjects","ListObjectsV2",
    "GetBucketAcl","GetBucketPolicy","GetBucketPublicAccessBlock"), 1, 0)
| eval IsGetOp=if(eventName="GetObject" OR Operation IN
    ("FileDownloaded","FileSyncDownloadedFull"), 1, 0)
| eval ToolSignature=if(match(coalesce(userAgent,""),
    "(?i)(rclone|pacu|boto3|aadInternals|aws-cli\/|python-requests|curl)"), 1, 0)
| bin _time span=30m
| stats
    count as TotalRequests,
    sum(IsGetOp) as DownloadCount,
    sum(IsListOp) as EnumCount,
    max(IsAnonymous) as HasAnonymousAccess,
    max(ToolSignature) as KnownToolDetected,
    dc(ObjectKey) as UniqueObjects,
    values(BucketOrSite) as TargetResources,
    first(ActorIdentity) as Actor,
    first(userAgent) as UserAgentSample
    by _time, SourceIP, Platform
| where DownloadCount > 50 OR HasAnonymousAccess=1 OR EnumCount > 20
| eval SuspicionScore=
    if(HasAnonymousAccess=1, 3, 0) +
    if(DownloadCount > 500, 3, if(DownloadCount > 100, 2, if(DownloadCount > 50, 1, 0))) +
    if(EnumCount > 20, 1, 0) +
    if(KnownToolDetected=1, 2, 0)
| eval Severity=case(
    HasAnonymousAccess=1 OR SuspicionScore >= 5, "High",
    SuspicionScore >= 3, "Medium",
    true(), "Low")
| where SuspicionScore > 0
| table _time, Platform, Actor, SourceIP, TargetResources, DownloadCount,
        EnumCount, UniqueObjects, HasAnonymousAccess, UserAgentSample,
        SuspicionScore, Severity
| sort - _time

high severity medium confidence

Data Sources

Cloud Storage: Cloud Storage Access AWS CloudTrail S3 Data Events Microsoft 365 Unified Audit Logs Application Log: Application Log Content

Required Sourcetypes

aws:cloudtrail o365:management:activity

False Positives

Automated backup systems (AWS Backup, Veeam for AWS) performing scheduled S3 object downloads will trigger bulk download thresholds — these typically run from known backup service account ARNs
Data warehouse ETL pipelines and analytics platforms (Glue, EMR, Databricks) performing high-volume S3 reads as part of normal batch processing jobs
Content delivery and replication workflows that legitimately use anonymous access for public S3 buckets hosting static assets, open datasets, or software distribution content
Microsoft 365 eDiscovery and compliance export operations that bulk-access SharePoint or OneDrive content for legal review — typically run from compliance service accounts
Developer tool user agents (boto3, aws-cli) used legitimately by engineers accessing their own team's storage resources during normal development workflows

Elastic Security (EQL)

eql

any where (
  (
    event.dataset == "aws.cloudtrail" and
    aws.cloudtrail.event_source == "s3.amazonaws.com" and
    event.action in ("GetObject", "ListBucket", "ListObjects", "ListObjectsV2",
                     "GetBucketAcl", "GetBucketPolicy", "GetBucketPublicAccessBlock") and
    not aws.cloudtrail.error_code : ("AccessDenied", "NoSuchKey", "NoSuchBucket") and
    (
      aws.cloudtrail.user_identity.type in ("AnonUser", "Anonymous") or
      user_agent.original : ("rclone/*", "*pacu*", "aws-cli/*", "*aadInternals*",
                              "Boto3/*", "python-requests/*", "*s3browser*", "*CloudBerry*")
    )
  ) or
  (
    event.dataset == "o365.audit" and
    o365.audit.Workload in ("OneDrive", "SharePoint") and
    event.action in ("FileDownloaded", "FileSyncDownloadedFull",
                     "FileAccessed", "FileCopied") and
    user_agent.original : ("rclone/*", "*pacu*", "*aadInternals*",
                            "python-requests/*", "*odrive*", "*MicrosoftSharePointForAndroid*")
  ) or
  (
    event.dataset in ("azure.activitylogs", "azure.auditlogs") and
    azure.activitylogs.resource_provider == "MICROSOFT.STORAGE" and
    azure.activitylogs.operation_name in (
      "Microsoft.Storage/storageAccounts/write",
      "Microsoft.Storage/storageAccounts/blobServices/write",
      "Microsoft.Storage/storageAccounts/listKeys/action",
      "Microsoft.Storage/storageAccounts/regenerateKey/action"
    ) and
    event.outcome == "success"
  )
)
/* VOLUME THRESHOLD VARIANT: Deploy as a separate threshold rule.
   Alert when the below fires 50+ times per (source.ip, user.name) within 30m.
sequence by source.ip, user.name with maxspan=30m
  [any where event.dataset in ("aws.cloudtrail", "o365.audit") and
   event.action in ("GetObject", "FileDownloaded", "FileSyncDownloadedFull",
                    "ListBucket", "ListObjects", "ListObjectsV2") and
   not aws.cloudtrail.error_code : ("AccessDenied", "NoSuchKey")] with runs=50
*/

high severity high confidence

Data Sources

AWS CloudTrail via Elastic AWS integration (logs-aws.cloudtrail-*) Microsoft Office 365 Audit Logs via Elastic O365 integration (logs-o365.audit-*) Azure Activity Logs via Elastic Azure integration (logs-azure.activitylogs-*)

Required Tables

logs-aws.cloudtrail-* logs-o365.audit-* logs-azure.activitylogs-*

False Positives

Automated backup and disaster recovery jobs using rclone or aws-cli with dedicated service accounts performing scheduled S3 data replication between regions or accounts
DevOps CI/CD pipelines that perform bulk S3 artifact fetches during deployment from ephemeral build agents sharing a single NAT egress IP address
IT administrators legitimately rotating Azure Storage account keys as part of scheduled credential rotation procedures or compliance-driven key management
Legitimate data migration projects where large OneDrive or SharePoint libraries are synced offline by IT staff using Microsoft-provided tools that are misidentified as known attack tool signatures

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT((starttime / 1800000) * 1800000, 'YYYY-MM-dd HH:mm:ss') AS time_bucket,
  username AS actor,
  sourceip AS source_ip,
  LOGSOURCETYPENAME(logsourceid) AS platform,
  COUNT(*) AS total_requests,
  SUM(CASE
    WHEN QIDNAME(qid) LIKE '%GetObject%'
      OR QIDNAME(qid) LIKE '%FileDownload%'
      OR QIDNAME(qid) LIKE '%FileSyncDownload%'
    THEN 1 ELSE 0 END) AS download_count,
  SUM(CASE
    WHEN QIDNAME(qid) LIKE '%ListBucket%'
      OR QIDNAME(qid) LIKE '%ListObjects%'
      OR QIDNAME(qid) LIKE '%GetBucketAcl%'
      OR QIDNAME(qid) LIKE '%GetBucketPolicy%'
    THEN 1 ELSE 0 END) AS enum_count,
  SUM(CASE
    WHEN UTF8(payload) ILIKE '%AnonUser%'
      OR UTF8(payload) ILIKE '%"type":"Anonymous%'
      OR UTF8(payload) ILIKE '%principalId":"anonymous%'
    THEN 1 ELSE 0 END) AS anon_count,
  MAX(CASE
    WHEN UTF8(payload) ILIKE '%rclone%'
      OR UTF8(payload) ILIKE '%pacu%'
      OR UTF8(payload) ILIKE '%aadInternals%'
      OR UTF8(payload) ILIKE '%boto3%'
      OR UTF8(payload) ILIKE '%python-requests%'
      OR UTF8(payload) ILIKE '%aws-cli/%'
    THEN 1 ELSE 0 END) AS known_tool_detected,
  MAX(CASE
    WHEN UTF8(payload) ILIKE '%listKeys%'
      OR UTF8(payload) ILIKE '%regenerateKey%'
      OR UTF8(payload) ILIKE '%LISTKEYS/ACTION%'
      OR UTF8(payload) ILIKE '%REGENERATEKEY/ACTION%'
    THEN 1 ELSE 0 END) AS storage_key_access,
  (
    CASE WHEN SUM(CASE WHEN UTF8(payload) ILIKE '%AnonUser%' OR UTF8(payload) ILIKE '%"type":"Anonymous%' THEN 1 ELSE 0 END) > 0 THEN 3 ELSE 0 END +
    CASE WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%FileDownload%' THEN 1 ELSE 0 END) > 500 THEN 3
         WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%FileDownload%' THEN 1 ELSE 0 END) > 100 THEN 2
         WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%FileDownload%' THEN 1 ELSE 0 END) > 50 THEN 1
         ELSE 0 END +
    CASE WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%ListBucket%' OR QIDNAME(qid) LIKE '%ListObjects%' THEN 1 ELSE 0 END) > 20 THEN 1 ELSE 0 END +
    CASE WHEN MAX(CASE WHEN UTF8(payload) ILIKE '%rclone%' OR UTF8(payload) ILIKE '%pacu%' OR UTF8(payload) ILIKE '%aadInternals%' THEN 1 ELSE 0 END) = 1 THEN 2 ELSE 0 END
  ) AS suspicion_score
FROM events
WHERE (
    LOGSOURCETYPENAME(logsourceid) LIKE '%CloudTrail%'
    OR LOGSOURCETYPENAME(logsourceid) LIKE '%Office 365%'
    OR LOGSOURCETYPENAME(logsourceid) LIKE '%Azure Activity%'
  )
  AND (
    (UTF8(payload) ILIKE '%s3.amazonaws.com%'
     AND (
       QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%ListBucket%'
       OR QIDNAME(qid) LIKE '%ListObjects%' OR QIDNAME(qid) LIKE '%GetBucketAcl%'
       OR QIDNAME(qid) LIKE '%GetBucketPolicy%' OR QIDNAME(qid) LIKE '%GetBucketPublicAccess%'
     )
    )
    OR (
      LOGSOURCETYPENAME(logsourceid) LIKE '%Office 365%'
      AND (
        QIDNAME(qid) LIKE '%FileDownload%' OR QIDNAME(qid) LIKE '%FileAccess%'
        OR QIDNAME(qid) LIKE '%FileCop%' OR QIDNAME(qid) LIKE '%FileSyncDownload%'
      )
      AND (UTF8(payload) ILIKE '%OneDrive%' OR UTF8(payload) ILIKE '%SharePoint%')
    )
    OR (
      UTF8(payload) ILIKE '%Microsoft.Storage%'
      AND (
        UTF8(payload) ILIKE '%listKeys%' OR UTF8(payload) ILIKE '%regenerateKey%'
        OR UTF8(payload) ILIKE '%storageAccounts/write%'
      )
    )
  )
GROUP BY (starttime / 1800000) * 1800000, username, sourceip
HAVING download_count > 50
    OR anon_count > 0
    OR known_tool_detected = 1
    OR enum_count > 20
    OR storage_key_access = 1
ORDER BY suspicion_score DESC, time_bucket DESC
LAST 86400 SECONDS

high severity medium confidence

Data Sources

Amazon AWS CloudTrail log source (DSM: Amazon AWS CloudTrail) Microsoft Office 365 log source (DSM: Microsoft Office 365) Microsoft Azure Activity Logs log source (DSM: Microsoft Azure)

Required Tables

events

False Positives

Bulk S3 downloads by automated ETL pipelines using boto3 or aws-cli service accounts during scheduled data warehouse refresh jobs creating high download_count values
SharePoint library offline sync by legitimate users downloading entire team site document libraries triggering the 50-file threshold
Routine Azure Storage access key rotation by platform operations team during change management windows generating storage_key_access hits

Sumo Logic CSE

sql

(_sourceCategory=*cloudtrail* OR _sourceCategory=*o365* OR _sourceCategory=*azure*storage* OR _sourceCategory=*azure*activity*)
| json auto maxdepth 5 nodrop
| where (
    (eventSource="s3.amazonaws.com"
     AND eventName in ("GetObject","ListBucket","ListObjects","ListObjectsV2",
                       "GetBucketAcl","GetBucketPolicy","GetBucketPublicAccessBlock"))
    OR (Workload in ("OneDrive","SharePoint")
        AND Operation in ("FileDownloaded","FileSyncDownloadedFull",
                          "FileAccessed","FileCopied"))
    OR (resourceProvider="MICROSOFT.STORAGE"
        AND operationName in ("Microsoft.Storage/storageAccounts/write",
                              "Microsoft.Storage/storageAccounts/blobServices/write",
                              "Microsoft.Storage/storageAccounts/listKeys/action",
                              "Microsoft.Storage/storageAccounts/regenerateKey/action"))
  )
| eval platform = if(eventSource="s3.amazonaws.com", "AWS_S3",
                  if(!isNull(Workload), "Microsoft365",
                  if(!isNull(resourceProvider), "AzureStorage", "Unknown")))
| eval actor = if(!isNull(userIdentity.arn), userIdentity.arn,
              if(!isNull(userIdentity.userName), userIdentity.userName,
              if(!isNull(UserId), UserId,
              if(!isNull(caller), caller, "unknown"))))
| eval source_ip = if(!isNull(sourceIPAddress), sourceIPAddress,
                   if(!isNull(ClientIP), ClientIP,
                   if(!isNull(callerIpAddress), callerIpAddress, "unknown")))
| eval target_resource = if(!isNull(requestParameters.bucketName), requestParameters.bucketName,
                          if(!isNull(SiteUrl), SiteUrl,
                          if(!isNull(resourceId), resourceId, "unknown")))
| eval object_key = if(!isNull(requestParameters.key), requestParameters.key,
                    if(!isNull(SourceFileName), SourceFileName, "unknown"))
| eval user_agent_val = if(!isNull(userAgent), userAgent,
                         if(!isNull(UserAgent), UserAgent, ""))
| eval is_anonymous = if(userIdentity.type="AnonUser"
                        OR userIdentity.principalId="anonymous"
                        OR actor="anonymous", 1, 0)
| eval is_download = if(eventName="GetObject"
                       OR Operation in ("FileDownloaded","FileSyncDownloadedFull"), 1, 0)
| eval is_enum = if(eventName in ("ListBucket","ListObjects","ListObjectsV2",
                                  "GetBucketAcl","GetBucketPolicy",
                                  "GetBucketPublicAccessBlock"), 1, 0)
| eval is_config_change = if(operationName in
    ("Microsoft.Storage/storageAccounts/listKeys/action",
     "Microsoft.Storage/storageAccounts/regenerateKey/action",
     "Microsoft.Storage/storageAccounts/write"), 1, 0)
| eval tool_match = if(matches(user_agent_val,
    "(?i)(rclone|pacu|aadInternals|aws-cli\/|python-requests|boto3\/|s3browser|CloudBerry)"),
    1, 0)
| timeslice 30m
| stats
    count as total_requests,
    sum(is_download) as download_count,
    sum(is_enum) as enum_count,
    max(is_anonymous) as has_anonymous_access,
    max(tool_match) as known_tool_detected,
    max(is_config_change) as storage_config_change,
    dc(object_key) as unique_objects,
    values(target_resource) as target_resources,
    first(actor) as actor,
    first(user_agent_val) as user_agent_sample
    by _timeslice, source_ip, platform
| where download_count > 50
    OR has_anonymous_access = 1
    OR known_tool_detected = 1
    OR enum_count > 20
    OR storage_config_change = 1
| eval suspicion_score =
    (if(has_anonymous_access=1, 3, 0))
    + (if(download_count > 500, 3, if(download_count > 100, 2, if(download_count > 50, 1, 0))))
    + (if(enum_count > 20, 1, 0))
    + (if(known_tool_detected=1, 2, 0))
    + (if(storage_config_change=1, 2, 0))
| eval severity = if(has_anonymous_access=1 OR suspicion_score >= 5, "High",
                  if(suspicion_score >= 3, "Medium", "Low"))
| where suspicion_score > 0
| fields _timeslice, platform, actor, source_ip, target_resources,
         download_count, enum_count, unique_objects, has_anonymous_access,
         known_tool_detected, storage_config_change, user_agent_sample,
         suspicion_score, severity
| sort - _timeslice

high severity high confidence

Data Sources

AWS CloudTrail (Sumo Logic AWS source: _sourceCategory=*cloudtrail*) Microsoft Office 365 Management Activity (Sumo Logic O365 source: _sourceCategory=*o365*) Azure Activity Logs (Sumo Logic Azure source: _sourceCategory=*azure*activity*)

Required Tables

Sumo Logic index (no explicit table; filter by _sourceCategory)

False Positives

Enterprise data migration projects performing authorized bulk S3 sync using rclone or aws-cli service accounts will match the known_tool_detected condition and high download_count threshold
SharePoint Online throttling-retry patterns where a client retries file downloads due to transient errors can inflate download_count beyond the 50-file threshold for a single file session
Azure Storage key rotation automation scripts run by platform engineering during monthly credential rotation will trigger storage_config_change hits across multiple storage accounts simultaneously

Google Chronicle / SecOps

yaral

rule t1530_data_from_cloud_storage {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects bulk data exfiltration from cloud storage services including AWS S3, Azure Blob Storage, and Microsoft 365 OneDrive/SharePoint. Covers anonymous access, known exfiltration tools (rclone, pacu, aadInternals), mass downloads exceeding threshold, and Azure Storage key listing or config changes used by Storm-0501 for exfil staging."
    mitre_attack_technique = "T1530"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    confidence = "HIGH"
    platforms = "AWS, Azure, GCP, Microsoft365"
    reference = "https://attack.mitre.org/techniques/T1530/"

  events:
    (
      (
        $e.metadata.log_type = "AWS_CLOUDTRAIL"
        and $e.target.resource.resource_type = "STORAGE_OBJECT"
        and $e.metadata.product_event_type in (
          "GetObject", "ListBucket", "ListObjects", "ListObjectsV2",
          "GetBucketAcl", "GetBucketPolicy", "GetBucketPublicAccessBlock"
        )
        and not $e.security_result.action = "BLOCK"
      )
      or
      (
        $e.metadata.log_type = "OFFICE_365"
        and $e.target.resource.attribute.cloud.availability_zone in (
          "OneDrive", "SharePoint"
        )
        and $e.metadata.product_event_type in (
          "FileDownloaded", "FileSyncDownloadedFull",
          "FileAccessed", "FileCopied"
        )
      )
      or
      (
        $e.metadata.log_type = "AZURE_ACTIVITY"
        and $e.metadata.product_event_type in (
          "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
          "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE",
          "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION",
          "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION"
        )
        and $e.security_result.action = "ALLOW"
      )
    )
    $e.principal.ip != ""
    $e.principal.ip = $src_ip
    $e.principal.user.userid = $user

  match:
    $src_ip, $user over 30m

  outcome:
    $event_count = count($e.metadata.id)
    $unique_objects = count_distinct($e.target.resource.product_object_id)
    $anon_count = sum(
      if($e.principal.user.userid = "Anonymous"
        or $e.principal.user.userid = "AnonUser"
        or re.regex($e.principal.user.userid, `(?i)^anon`),
        1, 0)
    )
    $tool_detected = max(
      if(re.regex($e.network.http.user_agent,
        `(?i)(rclone\/|pacu|aadInternals|aws-cli\/|boto3\/|python-requests\/|s3browser|CloudBerry)`),
        1, 0)
    )
    $storage_config_change = max(
      if($e.metadata.product_event_type in (
        "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION",
        "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION"
      ), 1, 0)
    )
    $suspicion_score =
      if($anon_count > 0, 3, 0)
      + if($event_count > 500, 3, if($event_count > 100, 2, if($event_count > 50, 1, 0)))
      + if($unique_objects > 20, 1, 0)
      + if($tool_detected > 0, 2, 0)
      + if($storage_config_change > 0, 2, 0)

  condition:
    $event_count > 50
    or $anon_count > 0
    or $tool_detected > 0
    or $storage_config_change > 0
}

high severity high confidence

Data Sources

AWS CloudTrail (Chronicle log_type: AWS_CLOUDTRAIL) Microsoft Office 365 Audit (Chronicle log_type: OFFICE_365) Azure Activity Logs (Chronicle log_type: AZURE_ACTIVITY)

Required Tables

UDM events table (Chronicle SIEM unified data model)

False Positives

Legitimate cloud data sync services using tools that match the user-agent regex (e.g., corporate rclone deployments for authorized cross-account S3 replication) will fire tool_detected for every sync window
Azure DevOps release pipelines that call ListKeys as part of dynamic secret retrieval during deployment will trigger the storage_config_change condition on each pipeline run
High-volume SharePoint collaboration portals where multiple users in the same office (shared NAT IP) each download >10 files within 30 minutes, causing the aggregated $event_count to exceed 50 for the shared source IP

CrowdStrike LogScale (CQL)

cql

// Pattern 1: Cloud storage exfiltration tool process execution (endpoint visibility)
// Detects rclone, aws-cli, azcopy, gsutil, pacu executing with cloud storage arguments
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\rclone\.exe|\\aws\.exe|\\azcopy\.exe|\\gsutil\.exe|\\s3cmd\.py|\\pacu\.py|\\msodiagtool\.exe)/
  OR CommandLine = /(?i)(rclone\s+(copy|sync|move|ls|lsd)\s|aws\s+s3(api)?\s+(cp|sync|ls|rb|mb|get-object|list-objects|get-bucket-acl|get-bucket-policy)|azcopy\s+copy\s|gsutil\s+(cp|rsync|ls|du)\s+gs:\/\/|Invoke-AADIntReconAsOutsider|Get-AADIntTenantDomains|Export-AADIntUsers)/
| groupBy(
    [ComputerName, UserName, UserSid, ImageFileName],
    function=[
      count(aid, as=ExecutionCount),
      collect(CommandLine, limit=10, separator=" || "),
      collect(ParentBaseFileName, limit=3, separator="|"),
      collect(SHA256HashData, limit=3, separator="|"),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen)
    ]
  )
| eval CloudTarget = case(
    collect(CommandLine) = /s3:\/\/|s3\.amazonaws\.com/, "AWS_S3",
    collect(CommandLine) = /blob\.core\.windows\.net|dfs\.core\.windows\.net|azcopy/, "Azure_Blob",
    collect(CommandLine) = /gs:\/\/|storage\.googleapis\.com/, "GCP_Storage",
    collect(CommandLine) = /AADInt|onedrive|sharepoint/, "Microsoft365",
    true(), "Cloud_Storage_Generic"
  )
| eval RiskScore =
    (case(
      collect(CommandLine) = /(?i)(rclone|pacu|aadInternals|AADInt)/, 3,
      collect(CommandLine) = /(?i)(aws\s+s3|azcopy|gsutil)/, 2,
      true(), 1
    ))
    + if(ExecutionCount > 10, 2, if(ExecutionCount > 3, 1, 0))
| eval Severity = if(RiskScore >= 4, "High", if(RiskScore >= 2, "Medium", "Low"))
| sort(RiskScore, order=desc)
| select(
    [ComputerName, UserName, UserSid, ImageFileName, CloudTarget,
     ExecutionCount, collect(CommandLine), collect(ParentBaseFileName),
     collect(SHA256HashData), FirstSeen, LastSeen, RiskScore, Severity]
  )

// Pattern 2: High-volume DNS lookups to cloud storage endpoints indicating active exfiltration
// Run as separate saved search; correlate with Pattern 1 results by ComputerName
/*
#event_simpleName=DnsRequest
| DomainName = /(?i)(s3\.amazonaws\.com|s3-[a-z0-9-]+\.amazonaws\.com|\.s3\.us-[a-z0-9-]+\.amazonaws\.com|blob\.core\.windows\.net|\.dfs\.core\.windows\.net|storage\.googleapis\.com|sharepoint\.com|onedrive\.live\.com|1drv\.ms)/
| groupBy(
    [ComputerName, UserName, DomainName],
    function=[
      count(aid, as=QueryCount),
      min(ContextTimeStamp, as=FirstQuery),
      max(ContextTimeStamp, as=LastQuery)
    ]
  )
| where QueryCount > 100
| eval StoragePlatform = case(
    DomainName = /amazonaws\.com/, "AWS_S3",
    DomainName = /core\.windows\.net/, "Azure_Blob",
    DomainName = /googleapis\.com/, "GCP_Storage",
    DomainName = /sharepoint\.com|onedrive|1drv/, "Microsoft365",
    true(), "Unknown"
  )
| sort(QueryCount, order=desc)
*/

high severity medium confidence

Data Sources

CrowdStrike Falcon ProcessRollup2 events (endpoint process execution telemetry) CrowdStrike Falcon DnsRequest events (endpoint DNS resolution telemetry) CrowdStrike Falcon Horizon / CSPM (for cloud-native storage API event visibility, separate stream)

Required Tables

Falcon telemetry event stream (#event_simpleName=ProcessRollup2) Falcon telemetry event stream (#event_simpleName=DnsRequest)

False Positives

Authorized cloud infrastructure management tools (azcopy, aws-cli, gsutil) installed on developer workstations or jump hosts that are used regularly for legitimate cloud resource management will generate continuous high-frequency matches
Cloud backup agents (e.g., Veeam, Commvault, Rubrik) that invoke native cloud CLI tools as subprocesses during scheduled backup jobs will match both the binary name and argument patterns
Security tooling or cloud security posture management (CSPM) agents that enumerate S3 bucket ACLs or Azure storage configurations as part of continuous compliance scanning will trigger enumeration-related command-line patterns

Last updated: 2026-04-21 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data from Cloud Storage

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections