T1537

Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring it to another cloud account they control on the same service. This technique abuses native cloud APIs, storage sharing mechanisms, and CLI tools (such as AzCopy, megatools, or AWS CLI) to move data across cloud account boundaries while blending into normal cloud traffic. Detection is complicated because the traffic stays within the provider's internal network and may not trigger perimeter data loss controls. Common methods include: sharing VM disk snapshots or AMIs to attacker-controlled accounts, generating shared access signature (SAS) URIs or pre-signed S3 URLs for anonymous access, using AzCopy or AWS S3 sync to copy storage contents cross-account, and creating cloud instance backups then exporting them to external subscriptions.

Microsoft Sentinel / Defender

kusto

// Union of multiple T1537 detection signals: AzCopy exfil, SAS token abuse, snapshot sharing, and anomalous storage copy
let LookbackWindow = 24h;
let KnownStorageAccounts = dynamic([]);  // Populate with your org's known storage account hostnames
// Signal 1: AzCopy execution with external cloud storage destinations
let AzCopySignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName =~ "azcopy.exe" or ProcessCommandLine has_cs "azcopy"
| where ProcessCommandLine has_any ("copy", "sync", "cp", "make")
| extend DestURL = extract(@"(?:copy|sync|cp|make)\s+(?:'[^']+'|\"[^\"]+\"|\S+)\s+(?:'([^']+)'|\"([^\"]+)\"|([^\s]+))", 1, ProcessCommandLine)
| extend HasExternalBlob = ProcessCommandLine has "blob.core.windows.net" and not(ProcessCommandLine has_any (KnownStorageAccounts))
| extend HasMegaUpload = ProcessCommandLine has_any ("mega.nz", "mega.co.nz", "megatools", "megaput", "megacopy")
| extend HasS3External = ProcessCommandLine has_any ("s3://", "s3.amazonaws.com") and ProcessCommandLine has_any ("--source-account", "--destination-account", "cross-account")
| where HasExternalBlob or HasMegaUpload or HasS3External
| extend SignalType = "AzCopy_Exfil"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Signal 2: Azure SAS token generation via PowerShell or Azure CLI
let SASTokenSignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe", "az.cmd", "az", "python.exe", "python3")
| where ProcessCommandLine has_any (
    "New-AzStorageBlobSASToken",
    "New-AzStorageContainerSASToken",
    "New-AzStorageAccountSASToken",
    "az storage blob generate-sas",
    "az storage container generate-sas",
    "az storage account generate-sas",
    "GenerateSasUri",
    "generate-sas"
  )
| where ProcessCommandLine has_any ("--expiry", "-ExpiryTime", "--permissions", "rwdl", "racwdl")
| extend SignalType = "SAS_Token_Generation"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Signal 3: Cloud snapshot or disk image creation/export commands
let SnapshotSignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe", "az.cmd", "aws.exe", "python.exe")
| where ProcessCommandLine has_any (
    "az snapshot create",
    "az disk create",
    "az snapshot grant-access",
    "New-AzSnapshot",
    "Grant-AzSnapshotAccess",
    "ec2 copy-snapshot",
    "ec2 modify-snapshot-attribute",
    "ec2 create-image",
    "ec2 modify-image-attribute",
    "CreateSnapshot",
    "CopySnapshot"
  )
| extend SignalType = "Snapshot_Export"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Signal 4: Mega cloud upload tools
let MegaSignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("megacopy.exe", "megaput.exe", "megals.exe", "MegaSync.exe", "megatools.exe", "megacmd.exe", "mega-put", "mega-copy")
    or ProcessCommandLine has_any ("mega.nz", "megatools", "megacopy", "megaput", "MegaSync")
| extend SignalType = "Mega_Upload"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Combine all signals
union AzCopySignal, SASTokenSignal, SnapshotSignal, MegaSignal
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint Cloud Storage: Cloud Storage Access

Required Tables

DeviceProcessEvents

False Positives

Legitimate cloud migration projects using AzCopy to transfer data between organizational Azure subscriptions owned by different teams or business units
Backup and disaster recovery tools that create and export VM snapshots to secondary Azure subscriptions or storage accounts as part of approved BCP/DR procedures
DevOps pipelines and infrastructure-as-code workflows generating SAS tokens programmatically for legitimate cross-service data access (e.g., CI/CD artifact storage)
Data engineering teams using Mega or other cloud storage services for approved data sharing with external partners or contractors
Azure Site Recovery and Azure Backup services that internally use snapshot APIs for replication to paired regions

Splunk

spl

| union
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (Image="*\\azcopy.exe" OR CommandLine="*azcopy*")
     (CommandLine="*copy*" OR CommandLine="*sync*" OR CommandLine="*cp *")
     (CommandLine="*blob.core.windows.net*" OR CommandLine="*mega.nz*" OR CommandLine="*megatools*" OR CommandLine="*megacopy*" OR CommandLine="*megaput*")
    | eval SignalType="AzCopy_Exfil"
    | eval ExternalDest=if(match(CommandLine, "mega\.nz|megatools|megacopy|megaput"), "MEGA", if(match(CommandLine, "blob\.core\.windows\.net"), "AzureBlob", "Unknown"))
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, ExternalDest]
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\az.cmd" OR Image="*\\python.exe")
     (CommandLine="*New-AzStorageBlobSASToken*" OR CommandLine="*New-AzStorageContainerSASToken*" OR CommandLine="*New-AzStorageAccountSASToken*"
      OR CommandLine="*az storage*generate-sas*" OR CommandLine="*generate-sas*" OR CommandLine="*GenerateSasUri*")
    | eval SignalType="SAS_Token_Generation"
    | eval ExternalDest="AzureSAS"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, ExternalDest]
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\az.cmd" OR Image="*\\aws.exe")
     (CommandLine="*az snapshot create*" OR CommandLine="*az disk create*" OR CommandLine="*az snapshot grant-access*"
      OR CommandLine="*New-AzSnapshot*" OR CommandLine="*Grant-AzSnapshotAccess*"
      OR CommandLine="*ec2 copy-snapshot*" OR CommandLine="*ec2 modify-snapshot-attribute*"
      OR CommandLine="*ec2 create-image*" OR CommandLine="*modify-image-attribute*")
    | eval SignalType="Snapshot_Export"
    | eval ExternalDest=if(match(CommandLine, "ec2|aws"), "AWS", "Azure")
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, ExternalDest]
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (Image="*\\megacopy.exe" OR Image="*\\megaput.exe" OR Image="*\\MegaSync.exe" OR Image="*\\megacmd.exe"
      OR CommandLine="*mega.nz*" OR CommandLine="*megatools*" OR CommandLine="*megacopy*" OR CommandLine="*megaput*")
    | eval SignalType="Mega_Upload_Tool"
    | eval ExternalDest="MEGA"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, ExternalDest]
| sort - _time
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, ExternalDest

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate AzCopy usage by cloud operations teams migrating data between organizational subscriptions with proper change management approval
SAS token generation by approved service accounts in DevOps pipelines for artifact storage and deployment automation
Authorized use of MegaSync or similar tools for approved external data sharing with partners
Cloud backup solutions creating snapshots and exporting to secondary DR subscriptions
Azure Migrate assessments that enumerate and create snapshots of on-premises VM images for cloud migration planning

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name : ("azcopy.exe", "azcopy") and
    process.command_line : ("*copy*", "*sync*", "*cp *") and
    (
      process.command_line : "*blob.core.windows.net*" or
      process.command_line : "*mega.nz*" or
      process.command_line : "*megatools*" or
      process.command_line : "*megacopy*" or
      process.command_line : "*megaput*" or
      process.command_line : "*s3.amazonaws.com*"
    )
  ) or
  (
    process.name : ("powershell.exe", "pwsh.exe", "az.cmd", "az", "python.exe", "python3") and
    (
      process.command_line : "*New-AzStorageBlobSASToken*" or
      process.command_line : "*New-AzStorageContainerSASToken*" or
      process.command_line : "*New-AzStorageAccountSASToken*" or
      process.command_line : "*az storage*generate-sas*" or
      process.command_line : "*GenerateSasUri*" or
      process.command_line : "*generate-sas*"
    ) and
    (
      process.command_line : "*--expiry*" or
      process.command_line : "*-ExpiryTime*" or
      process.command_line : "*--permissions*" or
      process.command_line : "*rwdl*" or
      process.command_line : "*racwdl*"
    )
  ) or
  (
    process.name : ("powershell.exe", "pwsh.exe", "az.cmd", "aws.exe", "aws", "python.exe", "python3") and
    (
      process.command_line : "*az snapshot create*" or
      process.command_line : "*az disk create*" or
      process.command_line : "*az snapshot grant-access*" or
      process.command_line : "*New-AzSnapshot*" or
      process.command_line : "*Grant-AzSnapshotAccess*" or
      process.command_line : "*ec2 copy-snapshot*" or
      process.command_line : "*ec2 modify-snapshot-attribute*" or
      process.command_line : "*ec2 create-image*" or
      process.command_line : "*ec2 modify-image-attribute*" or
      process.command_line : "*CreateSnapshot*" or
      process.command_line : "*CopySnapshot*"
    )
  ) or
  (
    process.name : ("megacopy.exe", "megaput.exe", "megals.exe", "MegaSync.exe", "megatools.exe", "megacmd.exe", "mega-put", "mega-copy") or
    (
      process.command_line : "*mega.nz*" or
      process.command_line : "*megatools*" or
      process.command_line : "*megacopy*" or
      process.command_line : "*megaput*" or
      process.command_line : "*MegaSync*"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat (Linux)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-system.security-*

False Positives

Authorized cloud migration or disaster recovery teams running AzCopy to sync data between storage accounts within the same tenant during planned migrations.
DevOps or infrastructure engineers creating Azure disk snapshots or AWS AMIs as part of routine backup automation or infrastructure-as-code pipelines.
Security or IT teams generating short-lived SAS tokens for legitimate third-party vendor data sharing agreements with documented approval.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS UserName,
  "Computer Name" AS DeviceName,
  QIDNAME(qid) AS EventName,
  "Process CommandLine" AS CommandLine,
  "Process Image" AS ProcessImage,
  "Parent Process Image" AS ParentImage,
  CASE
    WHEN LOWER("Process CommandLine") LIKE '%azcopy%'
      AND (LOWER("Process CommandLine") LIKE '%blob.core.windows.net%'
           OR LOWER("Process CommandLine") LIKE '%mega.nz%'
           OR LOWER("Process CommandLine") LIKE '%megatools%'
           OR LOWER("Process CommandLine") LIKE '%s3.amazonaws.com%')
    THEN 'AzCopy_Exfil'
    WHEN (LOWER("Process CommandLine") LIKE '%new-azstorageblob%'
          OR LOWER("Process CommandLine") LIKE '%new-azstoragecontainer%'
          OR LOWER("Process CommandLine") LIKE '%new-azstorageaccount%'
          OR LOWER("Process CommandLine") LIKE '%generate-sas%'
          OR LOWER("Process CommandLine") LIKE '%generatesasuri%')
    THEN 'SAS_Token_Generation'
    WHEN (LOWER("Process CommandLine") LIKE '%az snapshot create%'
          OR LOWER("Process CommandLine") LIKE '%az snapshot grant-access%'
          OR LOWER("Process CommandLine") LIKE '%new-azsnapshot%'
          OR LOWER("Process CommandLine") LIKE '%grant-azsnapshotaccess%'
          OR LOWER("Process CommandLine") LIKE '%ec2 copy-snapshot%'
          OR LOWER("Process CommandLine") LIKE '%ec2 modify-snapshot-attribute%'
          OR LOWER("Process CommandLine") LIKE '%ec2 create-image%'
          OR LOWER("Process CommandLine") LIKE '%modify-image-attribute%')
    THEN 'Snapshot_Export'
    WHEN (LOWER("Process Image") LIKE '%megacopy%'
          OR LOWER("Process Image") LIKE '%megaput%'
          OR LOWER("Process Image") LIKE '%megasync%'
          OR LOWER("Process Image") LIKE '%megacmd%'
          OR LOWER("Process CommandLine") LIKE '%mega.nz%'
          OR LOWER("Process CommandLine") LIKE '%megatools%')
    THEN 'Mega_Upload'
    ELSE 'Unknown'
  END AS SignalType
FROM events
WHERE
  starttime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 119, 252, 420)
  AND (
    (
      LOWER("Process CommandLine") LIKE '%azcopy%' AND (
        LOWER("Process CommandLine") LIKE '%blob.core.windows.net%' OR
        LOWER("Process CommandLine") LIKE '%mega.nz%' OR
        LOWER("Process CommandLine") LIKE '%megatools%' OR
        LOWER("Process CommandLine") LIKE '%megacopy%' OR
        LOWER("Process CommandLine") LIKE '%megaput%' OR
        LOWER("Process CommandLine") LIKE '%s3.amazonaws.com%'
      )
    ) OR (
      (
        LOWER("Process Image") LIKE '%powershell%' OR
        LOWER("Process Image") LIKE '%pwsh%' OR
        LOWER("Process Image") LIKE '%az.cmd%' OR
        LOWER("Process Image") LIKE '%python%'
      ) AND (
        LOWER("Process CommandLine") LIKE '%new-azstorageblob%' OR
        LOWER("Process CommandLine") LIKE '%new-azstoragecontainer%' OR
        LOWER("Process CommandLine") LIKE '%new-azstorageaccount%' OR
        LOWER("Process CommandLine") LIKE '%generate-sas%' OR
        LOWER("Process CommandLine") LIKE '%generatesasuri%'
      ) AND (
        LOWER("Process CommandLine") LIKE '%--expiry%' OR
        LOWER("Process CommandLine") LIKE '%-expirytime%' OR
        LOWER("Process CommandLine") LIKE '%--permissions%'
      )
    ) OR
      LOWER("Process CommandLine") LIKE '%az snapshot create%' OR
      LOWER("Process CommandLine") LIKE '%az snapshot grant-access%' OR
      LOWER("Process CommandLine") LIKE '%new-azsnapshot%' OR
      LOWER("Process CommandLine") LIKE '%grant-azsnapshotaccess%' OR
      LOWER("Process CommandLine") LIKE '%ec2 copy-snapshot%' OR
      LOWER("Process CommandLine") LIKE '%ec2 modify-snapshot-attribute%' OR
      LOWER("Process CommandLine") LIKE '%ec2 create-image%' OR
      LOWER("Process CommandLine") LIKE '%modify-image-attribute%'
    OR (
      LOWER("Process Image") LIKE '%megacopy%' OR
      LOWER("Process Image") LIKE '%megaput%' OR
      LOWER("Process Image") LIKE '%megasync%' OR
      LOWER("Process Image") LIKE '%megacmd%' OR
      LOWER("Process CommandLine") LIKE '%mega.nz%' OR
      LOWER("Process CommandLine") LIKE '%megatools%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (EventCode 4688) Sysmon (EventCode 1) QRadar Endpoint Detection

Required Tables

events

False Positives

Authorized IT migration projects using AzCopy to transfer data between sanctioned Azure storage accounts, particularly during tenant consolidation or cloud onboarding.
Automated backup jobs or IaC tools (Terraform, Ansible) that create snapshots or disk images as part of scheduled maintenance or CI/CD pipelines.
Cloud security tooling that generates short-lived SAS tokens for read-only audit purposes or approved third-party SIEM integrations.

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where EventCode = "1" or EventID = "1" or EventCode = "4688" or EventID = "4688"
| parse regex "(?i)(?:CommandLine|ProcessCommandLine|cmdline)\s*[:=]\s*(?:(?:"|\'|\\[^\\]*)(?<CommandLine>[^"'\\ ]*)(?:"|\'|\\[^\\]*)|(?<CommandLine>\S+))" nodrop
| parse regex "(?i)(?:Image|NewProcessName|process)\s*[:=]\s*(?:"(?<ProcessImage>[^"]*)"|(?<ProcessImage>\S+))" nodrop
| where (
    (
      ProcessImage matches "*azcopy*" and (
        CommandLine matches "*blob.core.windows.net*" or
        CommandLine matches "*mega.nz*" or
        CommandLine matches "*megatools*" or
        CommandLine matches "*megacopy*" or
        CommandLine matches "*megaput*" or
        CommandLine matches "*s3.amazonaws.com*"
      )
    ) or
    (
      (
        ProcessImage matches "*powershell*" or
        ProcessImage matches "*pwsh*" or
        ProcessImage matches "*az.cmd*" or
        ProcessImage matches "*python*"
      ) and (
        CommandLine matches "*New-AzStorageBlobSASToken*" or
        CommandLine matches "*New-AzStorageContainerSASToken*" or
        CommandLine matches "*New-AzStorageAccountSASToken*" or
        CommandLine matches "*generate-sas*" or
        CommandLine matches "*GenerateSasUri*"
      )
    ) or
    (
      CommandLine matches "*az snapshot create*" or
      CommandLine matches "*az disk create*" or
      CommandLine matches "*az snapshot grant-access*" or
      CommandLine matches "*New-AzSnapshot*" or
      CommandLine matches "*Grant-AzSnapshotAccess*" or
      CommandLine matches "*ec2 copy-snapshot*" or
      CommandLine matches "*ec2 modify-snapshot-attribute*" or
      CommandLine matches "*ec2 create-image*" or
      CommandLine matches "*ec2 modify-image-attribute*" or
      CommandLine matches "*CreateSnapshot*" or
      CommandLine matches "*CopySnapshot*"
    ) or
    (
      ProcessImage matches "*megacopy*" or
      ProcessImage matches "*megaput*" or
      ProcessImage matches "*MegaSync*" or
      ProcessImage matches "*megacmd*" or
      ProcessImage matches "*megatools*" or
      CommandLine matches "*mega.nz*" or
      CommandLine matches "*megatools*" or
      CommandLine matches "*megacopy*" or
      CommandLine matches "*megaput*"
    )
  )
| if (ProcessImage matches "*azcopy*", "AzCopy_Exfil",
    if (CommandLine matches "*generate-sas*" or CommandLine matches "*SASToken*" or CommandLine matches "*GenerateSasUri*", "SAS_Token_Generation",
      if (CommandLine matches "*snapshot*" or CommandLine matches "*copy-snapshot*" or CommandLine matches "*AzSnapshot*", "Snapshot_Export",
        "Mega_Upload"))) as SignalType
| if (CommandLine matches "*mega.nz*" or ProcessImage matches "*mega*", "MEGA",
    if (CommandLine matches "*blob.core.windows.net*", "AzureBlob",
      if (CommandLine matches "*s3.amazonaws.com*", "AWS_S3", "Azure_Snapshot"))) as ExternalDest
| count as EventCount by _messageTime, host, user, ProcessImage, CommandLine, SignalType, ExternalDest
| fields _messageTime, host, user, ProcessImage, CommandLine, SignalType, ExternalDest, EventCount
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Event Log (EventID 4688) Sysmon Process Create (EventID 1) Endpoint security agents forwarding to Sumo Logic

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Cloud infrastructure teams using AzCopy for approved cross-region replication or migration tasks where the destination storage account is external to the primary tenant.
Security operations running snapshot exports as part of forensic investigation or e-discovery workflows requiring data preservation to isolated cloud environments.
SaaS integrations or data pipeline tooling that programmatically generates SAS tokens for time-limited, read-only access granted to auditors or analytics platforms.

Google Chronicle / SecOps

yaral

rule T1537_Transfer_Data_To_Cloud_Account {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1537: data exfiltration via cross-account cloud transfer using AzCopy, SAS token generation, snapshot sharing, or MEGA upload tools."
    severity = "HIGH"
    mitre_attack_technique = "T1537"
    mitre_attack_tactic = "Exfiltration"
    reference = "https://attack.mitre.org/techniques/T1537/"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.product_event_type != ""
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)(^|[/\\])azcopy(\.exe)?$`) and
        (
          re.regex($e.target.process.command_line, `(?i)blob\.core\.windows\.net`) or
          re.regex($e.target.process.command_line, `(?i)mega\.nz`) or
          re.regex($e.target.process.command_line, `(?i)(megatools|megacopy|megaput)`) or
          re.regex($e.target.process.command_line, `(?i)s3\.amazonaws\.com`)
        )
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|az\.cmd|python)(\.exe)?$`) and
        (
          re.regex($e.target.process.command_line, `(?i)New-AzStorage(Blob|Container|Account)SASToken`) or
          re.regex($e.target.process.command_line, `(?i)az storage (blob|container|account) generate-sas`) or
          re.regex($e.target.process.command_line, `(?i)GenerateSasUri`) or
          re.regex($e.target.process.command_line, `(?i)generate-sas`)
        ) and
        (
          re.regex($e.target.process.command_line, `(?i)(--expiry|-ExpiryTime|--permissions|rwdl|racwdl)`)
        )
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|az\.cmd|aws|python)(\.exe)?$`) and
        re.regex($e.target.process.command_line, `(?i)(az snapshot (create|grant-access)|az disk create|New-AzSnapshot|Grant-AzSnapshotAccess|ec2 (copy-snapshot|modify-snapshot-attribute|create-image|modify-image-attribute)|CreateSnapshot|CopySnapshot)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(megacopy|megaput|megals|MegaSync|megatools|megacmd|mega-put|mega-copy)(\.exe)?$`) or
        re.regex($e.target.process.command_line, `(?i)(mega\.nz|megatools|megacopy|megaput|MegaSync)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle Endpoint Telemetry (CrowdStrike, Carbon Black, SentinelOne) Chronicle Windows Event Log ingestion Sysmon via Chronicle forwarder

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Authorized AzCopy usage by storage teams replicating data between business units operating in separate Azure subscriptions but within the same enterprise agreement.
Infrastructure automation (Terraform, CloudFormation, Pulumi) that creates snapshots or AMIs for golden image distribution to multiple AWS accounts under an Organization.
Security engineering teams generating scoped SAS tokens with write access for approved penetration testing exercises or red team engagements with documented change tickets.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| FileName = /(?i)azcopy(\.exe)?$/
  OR (
    FileName = /(?i)(powershell|pwsh|az\.cmd|aws|python3?)(\.exe)?$/ AND
    CommandLine = /(?i)(New-AzStorage(Blob|Container|Account)SASToken|az storage (blob|container|account) generate-sas|GenerateSasUri|generate-sas)/
  )
  OR (
    FileName = /(?i)(powershell|pwsh|az\.cmd|aws|python3?)(\.exe)?$/ AND
    CommandLine = /(?i)(az snapshot (create|grant-access)|az disk create|New-AzSnapshot|Grant-AzSnapshotAccess|ec2 (copy-snapshot|modify-snapshot-attribute|create-image|modify-image-attribute)|CreateSnapshot|CopySnapshot)/
  )
  OR FileName = /(?i)(megacopy|megaput|megals|MegaSync|megatools|megacmd|mega-put|mega-copy)(\.exe)?$/
  OR CommandLine = /(?i)(mega\.nz|megatools|megacopy|megaput|MegaSync)/
| eval SignalType = case(
    FileName matches /(?i)azcopy/ AND CommandLine matches /(?i)(blob\.core\.windows\.net|mega\.nz|megatools|s3\.amazonaws\.com)/,
    "AzCopy_Exfil",
    CommandLine matches /(?i)(New-AzStorage|generate-sas|GenerateSasUri)/,
    "SAS_Token_Generation",
    CommandLine matches /(?i)(az snapshot|New-AzSnapshot|Grant-AzSnapshotAccess|ec2 copy-snapshot|ec2 modify-snapshot|ec2 create-image|CreateSnapshot|CopySnapshot)/,
    "Snapshot_Export",
    FileName matches /(?i)(megacopy|megaput|MegaSync|megacmd|megatools)/ OR CommandLine matches /(?i)(mega\.nz|megatools)/,
    "Mega_Upload",
    true(),
    "Unknown"
  )
| eval ExternalDest = case(
    CommandLine matches /(?i)mega\.nz/ OR FileName matches /(?i)(megacopy|megaput|MegaSync|megacmd)/, "MEGA",
    CommandLine matches /(?i)blob\.core\.windows\.net/, "AzureBlob_External",
    CommandLine matches /(?i)s3\.amazonaws\.com/, "AWS_S3_External",
    SignalType = "SAS_Token_Generation", "AzureSAS",
    SignalType = "Snapshot_Export" AND CommandLine matches /(?i)(ec2|aws)/, "AWS_Snapshot",
    SignalType = "Snapshot_Export", "Azure_Snapshot",
    true(), "Unknown"
  )
| eval RiskScore = case(
    ExternalDest = "MEGA", 90,
    ExternalDest = "AzureBlob_External", 75,
    ExternalDest = "AWS_S3_External", 75,
    SignalType = "SAS_Token_Generation", 65,
    SignalType = "Snapshot_Export", 80,
    true(), 50
  )
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SignalType, ExternalDest, RiskScore])
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2) CrowdStrike Falcon for IT Hygiene

Required Tables

#event_simpleName = ProcessRollup2

False Positives

Authorized DevOps engineers using AzCopy within CI/CD pipelines that publish build artifacts or deployment packages to external partner blob storage accounts with documented firewall exceptions.
Cloud platform teams using AWS CLI to copy EC2 snapshots across accounts for disaster recovery testing, where source and destination accounts are both under organizational control.
IT operations staff using MEGA Sync as an approved shadow IT workaround for large file transfers pending rollout of an enterprise file sharing solution — high false positive rate in environments without an approved cloud storage policy.

Last updated: 2026-04-20 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1537 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Transfer Data to Cloud Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Exfiltration

Popular Detections