Detect Data from Cloud Storage in Microsoft Sentinel
Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1530 Data from Cloud Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1530/
KQL Detection Query
let MassDownloadThreshold = 50;
let BulkTimeWindow = 30m;
// Pattern 1: OneDrive/SharePoint mass file downloads (AADInternals, Scattered Spider pattern)
let OneDriveAlert = OfficeActivity
| where TimeGenerated > ago(24h)
| where OfficeWorkload in ("OneDrive", "SharePoint")
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed", "FileCopied")
| summarize
FileCount = count(),
UniqueFiles = dcount(SourceFileName),
SiteUrls = make_set(SiteUrl, 5),
Operations = make_set(Operation),
UserAgentSample = take_any(UserAgent)
by UserId, ClientIP, bin(TimeGenerated, BulkTimeWindow)
| where FileCount > MassDownloadThreshold
| extend
AlertType = "OneDrive_MassDownload",
Platform = "Microsoft365",
Severity = iff(FileCount > 300, "High", "Medium"),
Details = strcat(tostring(FileCount), " files from ", tostring(array_length(SiteUrls)), " site(s)")
| project TimeGenerated, UserId, ClientIP, AlertType, Platform, Severity,
FileCount, UniqueFiles, Details, UserAgentSample;
// Pattern 2: Azure Blob Storage anonymous access or bulk download
let BlobAlert = StorageBlobLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("GetBlob", "ListBlobs", "ListBlobsHierarchySegment",
"GetBlobProperties", "GetContainerProperties")
| where StatusCode == 200
| extend IsAnonymous = toint(AuthenticationType =~ "Anonymous")
| summarize
RequestCount = count(),
TotalBytes = sum(tolong(ResponseBodySize)),
UniqueObjects = dcount(Uri),
AnonRequests = sum(IsAnonymous),
OperationTypes = make_set(OperationName)
by AccountName, CallerIpAddress, AuthenticationType, bin(TimeGenerated, BulkTimeWindow)
| where RequestCount > MassDownloadThreshold or AnonRequests > 0
| extend
AlertType = iff(AnonRequests > 0, "AzureBlob_AnonymousAccess", "AzureBlob_BulkDownload"),
Platform = "AzureStorage",
Severity = iff(AnonRequests > 0 or TotalBytes > 1073741824, "High", "Medium"),
Details = strcat(tostring(RequestCount), " requests, ", tostring(TotalBytes / 1048576), " MB transferred")
| project TimeGenerated, UserId=AccountName, ClientIP=CallerIpAddress,
AlertType, Platform, Severity, FileCount=RequestCount,
UniqueFiles=UniqueObjects, Details, UserAgentSample=AuthenticationType;
// Pattern 3: Azure Storage key listing or permission change (Storm-0501 exfil staging)
let StorageConfigAlert = AzureActivity
| where TimeGenerated > ago(24h)
| where ResourceProviderValue =~ "MICROSOFT.STORAGE"
| where OperationNameValue in (
"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION"
)
| where ActivityStatusValue =~ "Success"
| extend
AlertType = "AzureStorage_SuspiciousConfigChange",
Platform = "Azure",
Severity = "High",
Details = OperationNameValue
| project TimeGenerated, UserId=Caller, ClientIP=CallerIpAddress,
AlertType, Platform, Severity, FileCount=int(null),
UniqueFiles=int(null), Details, UserAgentSample="AzureRM";
// Union all patterns
union kind=outer OneDriveAlert, BlobAlert, StorageConfigAlert
| sort by TimeGenerated descDetects cloud storage data collection across three attack patterns seen in threat actor campaigns. Pattern 1 uses OfficeActivity to identify mass OneDrive or SharePoint file access exceeding 50 operations in 30 minutes, consistent with AADInternals and Scattered Spider bulk extraction activity. Pattern 2 uses Azure Storage diagnostic logs (StorageBlobLogs) to detect anonymous blob access or high-volume download operations against Azure Blob containers. Pattern 3 monitors AzureActivity for storage account key listing and permission changes that match Storm-0501's technique of exposing storage accounts for remote exfiltration. Requires Microsoft 365 Unified Audit Logs, Azure Activity Logs, and Azure Storage diagnostic logs all forwarded to the Log Analytics workspace.
Data Sources
Required Tables
False Positives & Tuning
- Backup and migration tools (ShareGate, AvePoint, Metalogix) performing scheduled bulk downloads of SharePoint or OneDrive content during off-hours maintenance windows
- Microsoft Purview eDiscovery operations and DLP scanning agents accessing large volumes of OneDrive files for compliance indexing or legal hold processing
- Azure Blob containers legitimately configured for anonymous public access as static website hosting origins or CDN source buckets — anonymous access is expected and intended
- Infrastructure-as-code pipelines (Terraform, Bicep, ARM templates) performing storage account writes and key listing operations during normal cloud provisioning and rotation workflows
- Developers and DevOps engineers performing bulk blob downloads from development or staging storage accounts using Azure CLI, Azure Storage Explorer, or SDK tooling
Other platforms for T1530
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS S3 Anonymous Bucket Enumeration and Download
Expected signal: AWS CloudTrail will record ListObjects and GetObject events with userIdentity.type=Anonymous and userIdentity.principalId=anonymous. sourceIPAddress will be the tester's public IP. No ARN present in the identity block. S3 server access logs (if enabled) will show - as the requester.
- Test 2AWS S3 Bulk Object Download with Valid Credentials
Expected signal: CloudTrail records: ListObjects (eventName=ListObjectsV2) and multiple GetObject events from the same source IP within a short window. userIdentity.type=IAMUser or AssumedRole with the test key ARN. requestParameters.bucketName contains the target bucket. High event volume triggers the 50+ GetObject threshold in the SPL detection.
- Test 3Rclone Cloud Storage Sync (Exfiltration Tool Pattern)
Expected signal: CloudTrail GetObject and ListObjectsV2 events with userAgent containing 'rclone/' version string (e.g., 'rclone/v1.65.0'). High-volume sequential GetObject events for each file in the bucket. The rclone.conf file will contain plaintext cloud credentials at ~/.config/rclone/rclone.conf — a forensic artifact.
- Test 4AADInternals OneDrive File Collection
Expected signal: Microsoft 365 OfficeActivity logs: FileDownloaded operations with UserId matching the authenticated account, OfficeWorkload=OneDrive. UserAgent will identify AADInternals. ClientIP will be the tester's IP. Events appear in the Unified Audit Log within minutes. EntraID SigninLogs will show the authentication used to obtain the access token.
References (11)
- https://attack.mitre.org/techniques/T1530/
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
- https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
- https://redcanary.com/blog/rclone-mega-extortion/
- https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/Gerenios/AADInternals
- https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html
- https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.