Detect Data from Cloud Storage in Google Chronicle
Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1530 Data from Cloud Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1530/
YARA-L Detection Query
rule t1530_data_from_cloud_storage {
meta:
author = "Argus Detection Engineering"
description = "Detects bulk data exfiltration from cloud storage services including AWS S3, Azure Blob Storage, and Microsoft 365 OneDrive/SharePoint. Covers anonymous access, known exfiltration tools (rclone, pacu, aadInternals), mass downloads exceeding threshold, and Azure Storage key listing or config changes used by Storm-0501 for exfil staging."
mitre_attack_technique = "T1530"
mitre_attack_tactic = "Collection"
severity = "HIGH"
confidence = "HIGH"
platforms = "AWS, Azure, GCP, Microsoft365"
reference = "https://attack.mitre.org/techniques/T1530/"
events:
(
(
$e.metadata.log_type = "AWS_CLOUDTRAIL"
and $e.target.resource.resource_type = "STORAGE_OBJECT"
and $e.metadata.product_event_type in (
"GetObject", "ListBucket", "ListObjects", "ListObjectsV2",
"GetBucketAcl", "GetBucketPolicy", "GetBucketPublicAccessBlock"
)
and not $e.security_result.action = "BLOCK"
)
or
(
$e.metadata.log_type = "OFFICE_365"
and $e.target.resource.attribute.cloud.availability_zone in (
"OneDrive", "SharePoint"
)
and $e.metadata.product_event_type in (
"FileDownloaded", "FileSyncDownloadedFull",
"FileAccessed", "FileCopied"
)
)
or
(
$e.metadata.log_type = "AZURE_ACTIVITY"
and $e.metadata.product_event_type in (
"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION"
)
and $e.security_result.action = "ALLOW"
)
)
$e.principal.ip != ""
$e.principal.ip = $src_ip
$e.principal.user.userid = $user
match:
$src_ip, $user over 30m
outcome:
$event_count = count($e.metadata.id)
$unique_objects = count_distinct($e.target.resource.product_object_id)
$anon_count = sum(
if($e.principal.user.userid = "Anonymous"
or $e.principal.user.userid = "AnonUser"
or re.regex($e.principal.user.userid, `(?i)^anon`),
1, 0)
)
$tool_detected = max(
if(re.regex($e.network.http.user_agent,
`(?i)(rclone\/|pacu|aadInternals|aws-cli\/|boto3\/|python-requests\/|s3browser|CloudBerry)`),
1, 0)
)
$storage_config_change = max(
if($e.metadata.product_event_type in (
"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION"
), 1, 0)
)
$suspicion_score =
if($anon_count > 0, 3, 0)
+ if($event_count > 500, 3, if($event_count > 100, 2, if($event_count > 50, 1, 0)))
+ if($unique_objects > 20, 1, 0)
+ if($tool_detected > 0, 2, 0)
+ if($storage_config_change > 0, 2, 0)
condition:
$event_count > 50
or $anon_count > 0
or $tool_detected > 0
or $storage_config_change > 0
}Chronicle YARA-L 2.0 detection rule for T1530 covering three cloud storage exfiltration patterns: (1) AWS S3 object access and bucket enumeration via CloudTrail UDM events; (2) OneDrive/SharePoint bulk downloads via Office 365 audit UDM events; (3) Azure Storage account key listing or configuration changes matching Storm-0501 exfil staging behavior. The rule aggregates over 30-minute windows per source IP and user, computing a suspicion score. The condition fires on any of: >50 events in window, anonymous principal, known exfiltration tool UA, or storage config change operations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud data sync services using tools that match the user-agent regex (e.g., corporate rclone deployments for authorized cross-account S3 replication) will fire tool_detected for every sync window
- Azure DevOps release pipelines that call ListKeys as part of dynamic secret retrieval during deployment will trigger the storage_config_change condition on each pipeline run
- High-volume SharePoint collaboration portals where multiple users in the same office (shared NAT IP) each download >10 files within 30 minutes, causing the aggregated $event_count to exceed 50 for the shared source IP
Other platforms for T1530
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS S3 Anonymous Bucket Enumeration and Download
Expected signal: AWS CloudTrail will record ListObjects and GetObject events with userIdentity.type=Anonymous and userIdentity.principalId=anonymous. sourceIPAddress will be the tester's public IP. No ARN present in the identity block. S3 server access logs (if enabled) will show - as the requester.
- Test 2AWS S3 Bulk Object Download with Valid Credentials
Expected signal: CloudTrail records: ListObjects (eventName=ListObjectsV2) and multiple GetObject events from the same source IP within a short window. userIdentity.type=IAMUser or AssumedRole with the test key ARN. requestParameters.bucketName contains the target bucket. High event volume triggers the 50+ GetObject threshold in the SPL detection.
- Test 3Rclone Cloud Storage Sync (Exfiltration Tool Pattern)
Expected signal: CloudTrail GetObject and ListObjectsV2 events with userAgent containing 'rclone/' version string (e.g., 'rclone/v1.65.0'). High-volume sequential GetObject events for each file in the bucket. The rclone.conf file will contain plaintext cloud credentials at ~/.config/rclone/rclone.conf — a forensic artifact.
- Test 4AADInternals OneDrive File Collection
Expected signal: Microsoft 365 OfficeActivity logs: FileDownloaded operations with UserId matching the authenticated account, OfficeWorkload=OneDrive. UserAgent will identify AADInternals. ClientIP will be the tester's IP. Events appear in the Unified Audit Log within minutes. EntraID SigninLogs will show the authentication used to obtain the access token.
References (11)
- https://attack.mitre.org/techniques/T1530/
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
- https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
- https://redcanary.com/blog/rclone-mega-extortion/
- https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/Gerenios/AADInternals
- https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html
- https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.