T1537 IBM QRadar · QRadar

Detect Transfer Data to Cloud Account in IBM QRadar

Adversaries may exfiltrate data by transferring it to another cloud account they control on the same service. This technique abuses native cloud APIs, storage sharing mechanisms, and CLI tools (such as AzCopy, megatools, or AWS CLI) to move data across cloud account boundaries while blending into normal cloud traffic. Detection is complicated because the traffic stays within the provider's internal network and may not trigger perimeter data loss controls. Common methods include: sharing VM disk snapshots or AMIs to attacker-controlled accounts, generating shared access signature (SAS) URIs or pre-signed S3 URLs for anonymous access, using AzCopy or AWS S3 sync to copy storage contents cross-account, and creating cloud instance backups then exporting them to external subscriptions.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1537 Transfer Data to Cloud Account
Canonical reference
https://attack.mitre.org/techniques/T1537/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS UserName,
  "Computer Name" AS DeviceName,
  QIDNAME(qid) AS EventName,
  "Process CommandLine" AS CommandLine,
  "Process Image" AS ProcessImage,
  "Parent Process Image" AS ParentImage,
  CASE
    WHEN LOWER("Process CommandLine") LIKE '%azcopy%'
      AND (LOWER("Process CommandLine") LIKE '%blob.core.windows.net%'
           OR LOWER("Process CommandLine") LIKE '%mega.nz%'
           OR LOWER("Process CommandLine") LIKE '%megatools%'
           OR LOWER("Process CommandLine") LIKE '%s3.amazonaws.com%')
    THEN 'AzCopy_Exfil'
    WHEN (LOWER("Process CommandLine") LIKE '%new-azstorageblob%'
          OR LOWER("Process CommandLine") LIKE '%new-azstoragecontainer%'
          OR LOWER("Process CommandLine") LIKE '%new-azstorageaccount%'
          OR LOWER("Process CommandLine") LIKE '%generate-sas%'
          OR LOWER("Process CommandLine") LIKE '%generatesasuri%')
    THEN 'SAS_Token_Generation'
    WHEN (LOWER("Process CommandLine") LIKE '%az snapshot create%'
          OR LOWER("Process CommandLine") LIKE '%az snapshot grant-access%'
          OR LOWER("Process CommandLine") LIKE '%new-azsnapshot%'
          OR LOWER("Process CommandLine") LIKE '%grant-azsnapshotaccess%'
          OR LOWER("Process CommandLine") LIKE '%ec2 copy-snapshot%'
          OR LOWER("Process CommandLine") LIKE '%ec2 modify-snapshot-attribute%'
          OR LOWER("Process CommandLine") LIKE '%ec2 create-image%'
          OR LOWER("Process CommandLine") LIKE '%modify-image-attribute%')
    THEN 'Snapshot_Export'
    WHEN (LOWER("Process Image") LIKE '%megacopy%'
          OR LOWER("Process Image") LIKE '%megaput%'
          OR LOWER("Process Image") LIKE '%megasync%'
          OR LOWER("Process Image") LIKE '%megacmd%'
          OR LOWER("Process CommandLine") LIKE '%mega.nz%'
          OR LOWER("Process CommandLine") LIKE '%megatools%')
    THEN 'Mega_Upload'
    ELSE 'Unknown'
  END AS SignalType
FROM events
WHERE
  starttime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 119, 252, 420)
  AND (
    (
      LOWER("Process CommandLine") LIKE '%azcopy%' AND (
        LOWER("Process CommandLine") LIKE '%blob.core.windows.net%' OR
        LOWER("Process CommandLine") LIKE '%mega.nz%' OR
        LOWER("Process CommandLine") LIKE '%megatools%' OR
        LOWER("Process CommandLine") LIKE '%megacopy%' OR
        LOWER("Process CommandLine") LIKE '%megaput%' OR
        LOWER("Process CommandLine") LIKE '%s3.amazonaws.com%'
      )
    ) OR (
      (
        LOWER("Process Image") LIKE '%powershell%' OR
        LOWER("Process Image") LIKE '%pwsh%' OR
        LOWER("Process Image") LIKE '%az.cmd%' OR
        LOWER("Process Image") LIKE '%python%'
      ) AND (
        LOWER("Process CommandLine") LIKE '%new-azstorageblob%' OR
        LOWER("Process CommandLine") LIKE '%new-azstoragecontainer%' OR
        LOWER("Process CommandLine") LIKE '%new-azstorageaccount%' OR
        LOWER("Process CommandLine") LIKE '%generate-sas%' OR
        LOWER("Process CommandLine") LIKE '%generatesasuri%'
      ) AND (
        LOWER("Process CommandLine") LIKE '%--expiry%' OR
        LOWER("Process CommandLine") LIKE '%-expirytime%' OR
        LOWER("Process CommandLine") LIKE '%--permissions%'
      )
    ) OR
      LOWER("Process CommandLine") LIKE '%az snapshot create%' OR
      LOWER("Process CommandLine") LIKE '%az snapshot grant-access%' OR
      LOWER("Process CommandLine") LIKE '%new-azsnapshot%' OR
      LOWER("Process CommandLine") LIKE '%grant-azsnapshotaccess%' OR
      LOWER("Process CommandLine") LIKE '%ec2 copy-snapshot%' OR
      LOWER("Process CommandLine") LIKE '%ec2 modify-snapshot-attribute%' OR
      LOWER("Process CommandLine") LIKE '%ec2 create-image%' OR
      LOWER("Process CommandLine") LIKE '%modify-image-attribute%'
    OR (
      LOWER("Process Image") LIKE '%megacopy%' OR
      LOWER("Process Image") LIKE '%megaput%' OR
      LOWER("Process Image") LIKE '%megasync%' OR
      LOWER("Process Image") LIKE '%megacmd%' OR
      LOWER("Process CommandLine") LIKE '%mega.nz%' OR
      LOWER("Process CommandLine") LIKE '%megatools%'
    )
  )
ORDER BY starttime DESC
high severity medium confidence

AQL query for IBM QRadar detecting T1537 cloud data transfer exfiltration. Correlates process execution events from Windows Security (EventCode 4688), Sysmon (EventCode 1), and Endpoint Detection log sources. Classifies events into four signal types: AzCopy exfil to external destinations, SAS token generation, cloud snapshot export, and MEGA upload tool usage. LOGSOURCETYPEID 12=WinEventLog, 119=Sysmon, 252=Microsoft Windows, 420=Endpoint Detection.

Data Sources

Windows Security Event Log (EventCode 4688)Sysmon (EventCode 1)QRadar Endpoint Detection

Required Tables

events

False Positives & Tuning

  • Authorized IT migration projects using AzCopy to transfer data between sanctioned Azure storage accounts, particularly during tenant consolidation or cloud onboarding.
  • Automated backup jobs or IaC tools (Terraform, Ansible) that create snapshots or disk images as part of scheduled maintenance or CI/CD pipelines.
  • Cloud security tooling that generates short-lived SAS tokens for read-only audit purposes or approved third-party SIEM integrations.
Download portable Sigma rule (.yml)

Other platforms for T1537

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AzCopy Transfer to External Azure Blob Storage

    Expected signal: Sysmon Event ID 1: Process Create with Image=azcopy.exe (or azcopy path), CommandLine containing 'copy' and 'blob.core.windows.net' with a SAS token signature. Sysmon Event ID 3: Network Connection from azcopy.exe to TESTACCOUNT.blob.core.windows.net:443. Sysmon Event ID 11: File access events for the source files being read. AzCopy job log created at %USERPROFILE%\.azcopy\*.log.

  2. Test 2Azure SAS Token Generation via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-AzStorageContainerSASToken', '-Permission', 'rwdl', and '-ExpiryTime'. PowerShell ScriptBlock Log Event ID 4104 with full script contents including the SAS generation call. Sysmon Event ID 3: Network connection from powershell.exe to management.azure.com:443 for the Az module API calls.

  3. Test 3Azure Snapshot Creation and Export via Azure CLI

    Expected signal: Sysmon Event ID 1 (two events): (1) az.cmd process with CommandLine 'az snapshot create ... --source /subscriptions/...'. (2) az.cmd with CommandLine 'az snapshot grant-access ... --duration-in-seconds 3600'. Sysmon Event ID 3: Network connections from az.cmd to management.azure.com:443. Azure Activity Log entries: OperationName=Microsoft.Compute/snapshots/write (Success) and Microsoft.Compute/snapshots/beginGetAccess/action (Success) — visible in AzureActivity table in Log Analytics within ~5 minutes.

  4. Test 4Mega.nz Upload Tool Execution (megatools)

    Expected signal: Sysmon for Linux (or auditd) process creation event: Image=/usr/bin/megaput, CommandLine containing '--username', '--path', and the local file path. Sysmon Event ID 3 (Linux): Network connection from megaput to g.api.mega.co.nz:443 (initial API auth) and *.userstorage.mega.co.nz:443 (actual upload). Auditd SYSCALL record type=EXECVE with megaput binary. Linux /var/log/auth.log or syslog may record the process execution depending on auditing configuration.

Last updated: 2026-04-20 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1537 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1530Data from Cloud StorageT1078.004Cloud AccountsT1552.001Credentials In FilesT1078Valid AccountsT1074.002Remote Data StagingT1485Data DestructionT1020Automated ExfiltrationT1619Cloud Storage Object Discovery

Same Tactic: Exfiltration

Popular Detections