T1530 Elastic Security · Elastic

Detect Data from Cloud Storage in Elastic Security

Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.

MITRE ATT&CK

Tactic
Collection
Technique
T1530 Data from Cloud Storage
Canonical reference
https://attack.mitre.org/techniques/T1530/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  (
    event.dataset == "aws.cloudtrail" and
    aws.cloudtrail.event_source == "s3.amazonaws.com" and
    event.action in ("GetObject", "ListBucket", "ListObjects", "ListObjectsV2",
                     "GetBucketAcl", "GetBucketPolicy", "GetBucketPublicAccessBlock") and
    not aws.cloudtrail.error_code : ("AccessDenied", "NoSuchKey", "NoSuchBucket") and
    (
      aws.cloudtrail.user_identity.type in ("AnonUser", "Anonymous") or
      user_agent.original : ("rclone/*", "*pacu*", "aws-cli/*", "*aadInternals*",
                              "Boto3/*", "python-requests/*", "*s3browser*", "*CloudBerry*")
    )
  ) or
  (
    event.dataset == "o365.audit" and
    o365.audit.Workload in ("OneDrive", "SharePoint") and
    event.action in ("FileDownloaded", "FileSyncDownloadedFull",
                     "FileAccessed", "FileCopied") and
    user_agent.original : ("rclone/*", "*pacu*", "*aadInternals*",
                            "python-requests/*", "*odrive*", "*MicrosoftSharePointForAndroid*")
  ) or
  (
    event.dataset in ("azure.activitylogs", "azure.auditlogs") and
    azure.activitylogs.resource_provider == "MICROSOFT.STORAGE" and
    azure.activitylogs.operation_name in (
      "Microsoft.Storage/storageAccounts/write",
      "Microsoft.Storage/storageAccounts/blobServices/write",
      "Microsoft.Storage/storageAccounts/listKeys/action",
      "Microsoft.Storage/storageAccounts/regenerateKey/action"
    ) and
    event.outcome == "success"
  )
)
/* VOLUME THRESHOLD VARIANT: Deploy as a separate threshold rule.
   Alert when the below fires 50+ times per (source.ip, user.name) within 30m.
sequence by source.ip, user.name with maxspan=30m
  [any where event.dataset in ("aws.cloudtrail", "o365.audit") and
   event.action in ("GetObject", "FileDownloaded", "FileSyncDownloadedFull",
                    "ListBucket", "ListObjects", "ListObjectsV2") and
   not aws.cloudtrail.error_code : ("AccessDenied", "NoSuchKey")] with runs=50
*/
high severity high confidence

Detects T1530 Data from Cloud Storage via three complementary patterns: (1) AWS S3 access by anonymous principals or known exfiltration tools (rclone, pacu, aadInternals, boto3, aws-cli); (2) OneDrive/SharePoint file downloads matching known exfiltration tool user-agents (AADInternals, rclone); (3) Azure Storage account configuration changes including key listing and regeneration used by Storm-0501 for exfil staging. Requires Elastic integrations for AWS CloudTrail, Azure Activity Logs, and Microsoft 365. Deploy the commented volume-threshold variant as a separate threshold rule to alert on >50 download operations per user/IP within 30 minutes.

Data Sources

AWS CloudTrail via Elastic AWS integration (logs-aws.cloudtrail-*)Microsoft Office 365 Audit Logs via Elastic O365 integration (logs-o365.audit-*)Azure Activity Logs via Elastic Azure integration (logs-azure.activitylogs-*)

Required Tables

logs-aws.cloudtrail-*logs-o365.audit-*logs-azure.activitylogs-*

False Positives & Tuning

  • Automated backup and disaster recovery jobs using rclone or aws-cli with dedicated service accounts performing scheduled S3 data replication between regions or accounts
  • DevOps CI/CD pipelines that perform bulk S3 artifact fetches during deployment from ephemeral build agents sharing a single NAT egress IP address
  • IT administrators legitimately rotating Azure Storage account keys as part of scheduled credential rotation procedures or compliance-driven key management
  • Legitimate data migration projects where large OneDrive or SharePoint libraries are synced offline by IT staff using Microsoft-provided tools that are misidentified as known attack tool signatures
Download portable Sigma rule (.yml)

Other platforms for T1530

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS S3 Anonymous Bucket Enumeration and Download

    Expected signal: AWS CloudTrail will record ListObjects and GetObject events with userIdentity.type=Anonymous and userIdentity.principalId=anonymous. sourceIPAddress will be the tester's public IP. No ARN present in the identity block. S3 server access logs (if enabled) will show - as the requester.

  2. Test 2AWS S3 Bulk Object Download with Valid Credentials

    Expected signal: CloudTrail records: ListObjects (eventName=ListObjectsV2) and multiple GetObject events from the same source IP within a short window. userIdentity.type=IAMUser or AssumedRole with the test key ARN. requestParameters.bucketName contains the target bucket. High event volume triggers the 50+ GetObject threshold in the SPL detection.

  3. Test 3Rclone Cloud Storage Sync (Exfiltration Tool Pattern)

    Expected signal: CloudTrail GetObject and ListObjectsV2 events with userAgent containing 'rclone/' version string (e.g., 'rclone/v1.65.0'). High-volume sequential GetObject events for each file in the bucket. The rclone.conf file will contain plaintext cloud credentials at ~/.config/rclone/rclone.conf — a forensic artifact.

  4. Test 4AADInternals OneDrive File Collection

    Expected signal: Microsoft 365 OfficeActivity logs: FileDownloaded operations with UserId matching the authenticated account, OfficeWorkload=OneDrive. UserAgent will identify AADInternals. ClientIP will be the tester's IP. Events appear in the Unified Audit Log within minutes. EntraID SigninLogs will show the authentication used to obtain the access token.

Last updated: 2026-04-21 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1552.001Credentials In FilesT1552.005Cloud Instance Metadata APIT1119Automated CollectionT1537Transfer Data to Cloud AccountT1213.002SharepointT1190Exploit Public-Facing ApplicationT1560.001Archive via UtilityT1567.002Exfiltration to Cloud Storage

Same Tactic: Collection

Popular Detections