Detect Data from Cloud Storage in CrowdStrike LogScale
Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1530 Data from Cloud Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1530/
LogScale Detection Query
// Pattern 1: Cloud storage exfiltration tool process execution (endpoint visibility)
// Detects rclone, aws-cli, azcopy, gsutil, pacu executing with cloud storage arguments
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\rclone\.exe|\\aws\.exe|\\azcopy\.exe|\\gsutil\.exe|\\s3cmd\.py|\\pacu\.py|\\msodiagtool\.exe)/
OR CommandLine = /(?i)(rclone\s+(copy|sync|move|ls|lsd)\s|aws\s+s3(api)?\s+(cp|sync|ls|rb|mb|get-object|list-objects|get-bucket-acl|get-bucket-policy)|azcopy\s+copy\s|gsutil\s+(cp|rsync|ls|du)\s+gs:\/\/|Invoke-AADIntReconAsOutsider|Get-AADIntTenantDomains|Export-AADIntUsers)/
| groupBy(
[ComputerName, UserName, UserSid, ImageFileName],
function=[
count(aid, as=ExecutionCount),
collect(CommandLine, limit=10, separator=" || "),
collect(ParentBaseFileName, limit=3, separator="|"),
collect(SHA256HashData, limit=3, separator="|"),
min(ContextTimeStamp, as=FirstSeen),
max(ContextTimeStamp, as=LastSeen)
]
)
| eval CloudTarget = case(
collect(CommandLine) = /s3:\/\/|s3\.amazonaws\.com/, "AWS_S3",
collect(CommandLine) = /blob\.core\.windows\.net|dfs\.core\.windows\.net|azcopy/, "Azure_Blob",
collect(CommandLine) = /gs:\/\/|storage\.googleapis\.com/, "GCP_Storage",
collect(CommandLine) = /AADInt|onedrive|sharepoint/, "Microsoft365",
true(), "Cloud_Storage_Generic"
)
| eval RiskScore =
(case(
collect(CommandLine) = /(?i)(rclone|pacu|aadInternals|AADInt)/, 3,
collect(CommandLine) = /(?i)(aws\s+s3|azcopy|gsutil)/, 2,
true(), 1
))
+ if(ExecutionCount > 10, 2, if(ExecutionCount > 3, 1, 0))
| eval Severity = if(RiskScore >= 4, "High", if(RiskScore >= 2, "Medium", "Low"))
| sort(RiskScore, order=desc)
| select(
[ComputerName, UserName, UserSid, ImageFileName, CloudTarget,
ExecutionCount, collect(CommandLine), collect(ParentBaseFileName),
collect(SHA256HashData), FirstSeen, LastSeen, RiskScore, Severity]
)
// Pattern 2: High-volume DNS lookups to cloud storage endpoints indicating active exfiltration
// Run as separate saved search; correlate with Pattern 1 results by ComputerName
/*
#event_simpleName=DnsRequest
| DomainName = /(?i)(s3\.amazonaws\.com|s3-[a-z0-9-]+\.amazonaws\.com|\.s3\.us-[a-z0-9-]+\.amazonaws\.com|blob\.core\.windows\.net|\.dfs\.core\.windows\.net|storage\.googleapis\.com|sharepoint\.com|onedrive\.live\.com|1drv\.ms)/
| groupBy(
[ComputerName, UserName, DomainName],
function=[
count(aid, as=QueryCount),
min(ContextTimeStamp, as=FirstQuery),
max(ContextTimeStamp, as=LastQuery)
]
)
| where QueryCount > 100
| eval StoragePlatform = case(
DomainName = /amazonaws\.com/, "AWS_S3",
DomainName = /core\.windows\.net/, "Azure_Blob",
DomainName = /googleapis\.com/, "GCP_Storage",
DomainName = /sharepoint\.com|onedrive|1drv/, "Microsoft365",
true(), "Unknown"
)
| sort(QueryCount, order=desc)
*/CrowdStrike LogScale (CQL) detection for T1530 using Falcon endpoint telemetry. Pattern 1 detects cloud storage exfiltration tool execution (rclone, aws-cli, azcopy, gsutil, pacu, AADInternals/AADInt modules) via ProcessRollup2 events, matching both binary names and command-line arguments containing cloud storage operations. Calculates risk scores based on tool reputation and execution frequency. Pattern 2 (commented, run as separate saved search) detects high-volume DNS queries to cloud storage endpoints via DnsRequest events as a secondary indicator. Correlate both patterns by ComputerName for high-confidence detections. Note: CrowdStrike provides endpoint visibility only; cloud-native access logs (S3, Azure) require separate SIEM ingestion.
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud infrastructure management tools (azcopy, aws-cli, gsutil) installed on developer workstations or jump hosts that are used regularly for legitimate cloud resource management will generate continuous high-frequency matches
- Cloud backup agents (e.g., Veeam, Commvault, Rubrik) that invoke native cloud CLI tools as subprocesses during scheduled backup jobs will match both the binary name and argument patterns
- Security tooling or cloud security posture management (CSPM) agents that enumerate S3 bucket ACLs or Azure storage configurations as part of continuous compliance scanning will trigger enumeration-related command-line patterns
Other platforms for T1530
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS S3 Anonymous Bucket Enumeration and Download
Expected signal: AWS CloudTrail will record ListObjects and GetObject events with userIdentity.type=Anonymous and userIdentity.principalId=anonymous. sourceIPAddress will be the tester's public IP. No ARN present in the identity block. S3 server access logs (if enabled) will show - as the requester.
- Test 2AWS S3 Bulk Object Download with Valid Credentials
Expected signal: CloudTrail records: ListObjects (eventName=ListObjectsV2) and multiple GetObject events from the same source IP within a short window. userIdentity.type=IAMUser or AssumedRole with the test key ARN. requestParameters.bucketName contains the target bucket. High event volume triggers the 50+ GetObject threshold in the SPL detection.
- Test 3Rclone Cloud Storage Sync (Exfiltration Tool Pattern)
Expected signal: CloudTrail GetObject and ListObjectsV2 events with userAgent containing 'rclone/' version string (e.g., 'rclone/v1.65.0'). High-volume sequential GetObject events for each file in the bucket. The rclone.conf file will contain plaintext cloud credentials at ~/.config/rclone/rclone.conf — a forensic artifact.
- Test 4AADInternals OneDrive File Collection
Expected signal: Microsoft 365 OfficeActivity logs: FileDownloaded operations with UserId matching the authenticated account, OfficeWorkload=OneDrive. UserAgent will identify AADInternals. ClientIP will be the tester's IP. Events appear in the Unified Audit Log within minutes. EntraID SigninLogs will show the authentication used to obtain the access token.
References (11)
- https://attack.mitre.org/techniques/T1530/
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
- https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
- https://redcanary.com/blog/rclone-mega-extortion/
- https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/Gerenios/AADInternals
- https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html
- https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.