Detect Transfer Data to Cloud Account in Microsoft Sentinel
Adversaries may exfiltrate data by transferring it to another cloud account they control on the same service. This technique abuses native cloud APIs, storage sharing mechanisms, and CLI tools (such as AzCopy, megatools, or AWS CLI) to move data across cloud account boundaries while blending into normal cloud traffic. Detection is complicated because the traffic stays within the provider's internal network and may not trigger perimeter data loss controls. Common methods include: sharing VM disk snapshots or AMIs to attacker-controlled accounts, generating shared access signature (SAS) URIs or pre-signed S3 URLs for anonymous access, using AzCopy or AWS S3 sync to copy storage contents cross-account, and creating cloud instance backups then exporting them to external subscriptions.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1537 Transfer Data to Cloud Account
- Canonical reference
- https://attack.mitre.org/techniques/T1537/
KQL Detection Query
// Union of multiple T1537 detection signals: AzCopy exfil, SAS token abuse, snapshot sharing, and anomalous storage copy
let LookbackWindow = 24h;
let KnownStorageAccounts = dynamic([]); // Populate with your org's known storage account hostnames
// Signal 1: AzCopy execution with external cloud storage destinations
let AzCopySignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName =~ "azcopy.exe" or ProcessCommandLine has_cs "azcopy"
| where ProcessCommandLine has_any ("copy", "sync", "cp", "make")
| extend DestURL = extract(@"(?:copy|sync|cp|make)\s+(?:'[^']+'|\"[^\"]+\"|\S+)\s+(?:'([^']+)'|\"([^\"]+)\"|([^\s]+))", 1, ProcessCommandLine)
| extend HasExternalBlob = ProcessCommandLine has "blob.core.windows.net" and not(ProcessCommandLine has_any (KnownStorageAccounts))
| extend HasMegaUpload = ProcessCommandLine has_any ("mega.nz", "mega.co.nz", "megatools", "megaput", "megacopy")
| extend HasS3External = ProcessCommandLine has_any ("s3://", "s3.amazonaws.com") and ProcessCommandLine has_any ("--source-account", "--destination-account", "cross-account")
| where HasExternalBlob or HasMegaUpload or HasS3External
| extend SignalType = "AzCopy_Exfil"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Signal 2: Azure SAS token generation via PowerShell or Azure CLI
let SASTokenSignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe", "az.cmd", "az", "python.exe", "python3")
| where ProcessCommandLine has_any (
"New-AzStorageBlobSASToken",
"New-AzStorageContainerSASToken",
"New-AzStorageAccountSASToken",
"az storage blob generate-sas",
"az storage container generate-sas",
"az storage account generate-sas",
"GenerateSasUri",
"generate-sas"
)
| where ProcessCommandLine has_any ("--expiry", "-ExpiryTime", "--permissions", "rwdl", "racwdl")
| extend SignalType = "SAS_Token_Generation"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Signal 3: Cloud snapshot or disk image creation/export commands
let SnapshotSignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe", "az.cmd", "aws.exe", "python.exe")
| where ProcessCommandLine has_any (
"az snapshot create",
"az disk create",
"az snapshot grant-access",
"New-AzSnapshot",
"Grant-AzSnapshotAccess",
"ec2 copy-snapshot",
"ec2 modify-snapshot-attribute",
"ec2 create-image",
"ec2 modify-image-attribute",
"CreateSnapshot",
"CopySnapshot"
)
| extend SignalType = "Snapshot_Export"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Signal 4: Mega cloud upload tools
let MegaSignal = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("megacopy.exe", "megaput.exe", "megals.exe", "MegaSync.exe", "megatools.exe", "megacmd.exe", "mega-put", "mega-copy")
or ProcessCommandLine has_any ("mega.nz", "megatools", "megacopy", "megaput", "MegaSync")
| extend SignalType = "Mega_Upload"
| project Timestamp, DeviceName, AccountName, SignalType, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields;
// Combine all signals
union AzCopySignal, SASTokenSignal, SnapshotSignal, MegaSignal
| sort by Timestamp descDetects cloud-to-cloud data transfer exfiltration using four signal types: (1) AzCopy execution targeting external Azure Blob Storage accounts outside known organizational storage, (2) generation of Azure SAS tokens or pre-signed URLs that enable anonymous access to cloud data, (3) cloud disk snapshot creation and export commands targeting external accounts via Azure CLI, AWS CLI, or PowerShell, and (4) Mega.nz upload tool execution. Requires populating KnownStorageAccounts with your organization's legitimate Azure storage hostnames. Uses DeviceProcessEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud migration projects using AzCopy to transfer data between organizational Azure subscriptions owned by different teams or business units
- Backup and disaster recovery tools that create and export VM snapshots to secondary Azure subscriptions or storage accounts as part of approved BCP/DR procedures
- DevOps pipelines and infrastructure-as-code workflows generating SAS tokens programmatically for legitimate cross-service data access (e.g., CI/CD artifact storage)
- Data engineering teams using Mega or other cloud storage services for approved data sharing with external partners or contractors
- Azure Site Recovery and Azure Backup services that internally use snapshot APIs for replication to paired regions
Other platforms for T1537
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AzCopy Transfer to External Azure Blob Storage
Expected signal: Sysmon Event ID 1: Process Create with Image=azcopy.exe (or azcopy path), CommandLine containing 'copy' and 'blob.core.windows.net' with a SAS token signature. Sysmon Event ID 3: Network Connection from azcopy.exe to TESTACCOUNT.blob.core.windows.net:443. Sysmon Event ID 11: File access events for the source files being read. AzCopy job log created at %USERPROFILE%\.azcopy\*.log.
- Test 2Azure SAS Token Generation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-AzStorageContainerSASToken', '-Permission', 'rwdl', and '-ExpiryTime'. PowerShell ScriptBlock Log Event ID 4104 with full script contents including the SAS generation call. Sysmon Event ID 3: Network connection from powershell.exe to management.azure.com:443 for the Az module API calls.
- Test 3Azure Snapshot Creation and Export via Azure CLI
Expected signal: Sysmon Event ID 1 (two events): (1) az.cmd process with CommandLine 'az snapshot create ... --source /subscriptions/...'. (2) az.cmd with CommandLine 'az snapshot grant-access ... --duration-in-seconds 3600'. Sysmon Event ID 3: Network connections from az.cmd to management.azure.com:443. Azure Activity Log entries: OperationName=Microsoft.Compute/snapshots/write (Success) and Microsoft.Compute/snapshots/beginGetAccess/action (Success) — visible in AzureActivity table in Log Analytics within ~5 minutes.
- Test 4Mega.nz Upload Tool Execution (megatools)
Expected signal: Sysmon for Linux (or auditd) process creation event: Image=/usr/bin/megaput, CommandLine containing '--username', '--path', and the local file path. Sysmon Event ID 3 (Linux): Network connection from megaput to g.api.mega.co.nz:443 (initial API auth) and *.userstorage.mega.co.nz:443 (actual upload). Auditd SYSCALL record type=EXECVE with megaput binary. Linux /var/log/auth.log or syslog may record the process execution depending on auditing configuration.
References (14)
- https://attack.mitre.org/techniques/T1537/
- https://tldrsec.com/p/blog-lesser-known-aws-attacks
- https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature
- https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
- https://docs.microsoft.com/en-us/azure/storage/blobs/snapshots-overview
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
- https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf
- https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://www.secureworks.com/research/gold-ionic-inc-ransom
- https://www.group-ib.com/resources/research/redcurl/
- https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
- https://github.com/megous/megatools
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
Unlock Pro Content
Get the full detection package for T1537 including response playbook, investigation guide, and atomic red team tests.