T1567.002 Exfiltration to Cloud Storage Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CloudStorageDomains = dynamic([
  "dropbox.com", "dropboxapi.com", "content.dropboxapi.com", "api.dropboxapi.com",
  "drive.google.com", "www.googleapis.com", "storage.googleapis.com", "oauth2.googleapis.com",
  "graph.microsoft.com", "onedrive.live.com", "api.onedrive.com", "files.1drv.com",
  "s3.amazonaws.com", "s3-us-east-1.amazonaws.com",
  "mega.io", "mega.nz", "api.mega.co.nz",
  "api.box.com", "upload.box.com"
]);
let CloudSyncBinaries = dynamic([
  "rclone.exe", "rclone", "azcopy.exe", "azcopy",
  "gsutil", "megaput", "megatools", "megacmd"
]);
// Signal 1: Large outbound transfers to known cloud storage endpoints
let LargeUploads = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (CloudStorageDomains)
| where BytesSent > 10485760
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
          BytesSent, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, Signal = "LargeCloudUpload";
// Signal 2: Rclone or dedicated cloud sync tools executing
let CloudSyncTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (CloudSyncBinaries)
      or ProcessCommandLine has_any (
        "rclone copy", "rclone sync", "rclone move", "rclone mount",
        "azcopy copy", "azcopy sync",
        "gsutil cp", "gsutil rsync",
        "aws s3 cp", "aws s3 sync",
        ":dropbox", ":gdrive", ":onedrive", "mega:", ":s3", ":box"
      )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, Signal = "CloudSyncTool";
// Signal 3: curl/wget/python uploading to cloud storage APIs
let ApiUploads = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("curl.exe", "curl", "wget.exe", "wget",
                       "python.exe", "python3", "python3.exe",
                       "powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (CloudStorageDomains)
| where ProcessCommandLine has_any (
    "-T ", "--upload-file", "-X PUT", "-X POST", "--data-binary",
    "-d @", "upload", "put_file", "files_upload", "UploadFile",
    "Invoke-RestMethod", "Invoke-WebRequest", "WebClient"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, Signal = "CloudApiUpload";
union LargeUploads, CloudSyncTools, ApiUploads
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS

Splunk

spl

index=wineventlog
(
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (
      Image="*\\rclone.exe" OR Image="*\\azcopy.exe" OR Image="*\\megatools.exe" OR Image="*\\megaput.exe"
      OR
      (
        (Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
        (CommandLine="*dropbox.com*" OR CommandLine="*dropboxapi.com*" OR CommandLine="*googleapis.com*" OR CommandLine="*graph.microsoft.com*" OR CommandLine="*s3.amazonaws.com*" OR CommandLine="*mega.io*" OR CommandLine="*mega.nz*" OR CommandLine="*onedrive.live.com*" OR CommandLine="*api.box.com*")
        (CommandLine="*-T *" OR CommandLine="*--upload-file*" OR CommandLine="*-X PUT*" OR CommandLine="*-X POST*" OR CommandLine="*--data-binary*" OR CommandLine="*upload*")
      )
      OR
      (
        (Image="*\\rclone.exe" OR Image="*\\azcopy.exe")
        OR (CommandLine="*rclone copy*" OR CommandLine="*rclone sync*" OR CommandLine="*rclone move*" OR CommandLine="*azcopy copy*" OR CommandLine="*azcopy sync*" OR CommandLine="*gsutil cp*" OR CommandLine="*gsutil rsync*" OR CommandLine="*aws s3 cp*" OR CommandLine="*aws s3 sync*")
        OR (CommandLine="*:dropbox*" OR CommandLine="*:gdrive*" OR CommandLine="*:onedrive*" OR CommandLine="*mega:*" OR CommandLine="*:s3*")
      )
    )
  )
  OR
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    Initiated=true
    (
      DestinationHostname="*dropbox.com" OR DestinationHostname="*dropboxapi.com"
      OR DestinationHostname="*googleapis.com" OR DestinationHostname="*drive.google.com"
      OR DestinationHostname="*graph.microsoft.com" OR DestinationHostname="*onedrive.live.com"
      OR DestinationHostname="*s3.amazonaws.com" OR DestinationHostname="*mega.io"
      OR DestinationHostname="*api.box.com"
    )
    NOT (Image="*\\OneDrive.exe" OR Image="*\\googledrivesync.exe" OR Image="*\\Dropbox.exe" OR Image="*\\GoogleDriveFS.exe")
  )
)
| eval SignalType=case(
    EventCode=1 AND match(Image, "(rclone|azcopy|megaput|megatools)"), "CloudSyncTool",
    EventCode=1 AND match(CommandLine, "(rclone copy|rclone sync|azcopy copy|gsutil cp|aws s3 cp)"), "CloudSyncCommand",
    EventCode=1, "ApiUpload",
    EventCode=3, "CloudStorageNetConn",
    true(), "Unknown"
  )
| eval IsKnownSyncClient=if(match(Image, "(OneDrive\.exe|googledrivesync\.exe|Dropbox\.exe|GoogleDriveFS\.exe|backup|veeam)"), 1, 0)
| where IsKnownSyncClient=0
| table _time, host, User, Image, CommandLine, DestinationHostname, DestinationPort, ParentImage, ParentCommandLine, SignalType
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients — excluded by image name filter but verify the exclusion list matches your environment
DevOps CI/CD agents running rclone or azcopy for legitimate artifact management
IT-approved backup tools using cloud storage backends — add their process image names to the exclusion filter
Developers using AWS CLI or gsutil from personal workstations for legitimate project work
Security scanning or SIEM forwarder processes that check cloud storage endpoints for threat intelligence

Elastic Security (EQL)

eql

network where event.type == "connection" and
  network.direction == "outbound" and
  network.bytes > 10485760 and
  (
    destination.domain : ("*.dropbox.com","*.dropboxapi.com","drive.google.com","*.googleapis.com",
                           "*.onedrive.live.com","*.sharepoint.com","*.box.com","*.mega.nz",
                           "*.wetransfer.com","*.mediafire.com","gofile.io","*.anonfiles.com") and
    not process.name : ("OneDrive.exe","googledrivesync.exe","GoogleDriveFS.exe",
                         "dropbox.exe","box.exe","backup*","agent*")
  )

high severity medium confidence

Data Sources

Network Flow Events Endpoint Network Events

Required Tables

logs-endpoint.events.network-*

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "sourceip" as SourceIP, "destinationip" as DestIP,
  "Image" as ProcessImage, "DestinationHostname" as Hostname,
  SUM("BytesSent") as TotalBytesSent,
  CASE WHEN SUM("BytesSent") > 104857600 THEN 10
       WHEN SUM("BytesSent") > 10485760 THEN 7
       ELSE 4 END as RiskScore
FROM events
WHERE (
  "DestinationHostname" ILIKE ANY ('%dropbox%','%googleapis.com%','%onedrive%','%box.com%',
                                     '%mega.nz%','%wetransfer%','%mediafire%','%gofile.io%',
                                     '%anonfiles%','%sendspace%')
  AND "Direction" = 'outbound'
  AND LOWER(coalesce("Image","")) NOT LIKE ANY ('%onedrive%','%googledrive%','%dropbox%','%backup%')
)
GROUP BY "sourceip", "Image", "DestinationHostname", FLOOR(devicetime/3600000)
HAVING TotalBytesSent > 10485760
ORDER BY TotalBytesSent DESC

high severity medium confidence

Data Sources

Network Flow via QRadar Windows Sysmon Network Events

Required Tables

events

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS

Sumo Logic CSE

sql

_sourceCategory=network/flow OR _sourceCategory=windows/sysmon
| json auto
| where Direction == "outbound" OR EventID == "3"
| eval hostname = toLower(coalesce(DestinationHostname, DestinationIp, ""))
| where hostname matches ".*(dropbox|googleapis|onedrive|sharepoint|box\.com|mega\.nz|wetransfer|mediafire|gofile|anonfiles).*"
| eval ImageLower = toLower(coalesce(Image,""))
| where !ImageLower matches ".*(onedrive|googledrive|dropbox|backup|agent).*"
| timeslice 1h
| stats sum(BytesSent) as TotalBytes, count() as Connections, dcount(DestinationHostname) as UniqueHosts
        by SourceIP, Image, _timeslice
| where TotalBytes > 10485760
| eval TotalMB = round(TotalBytes / 1048576, 2)
| eval risk = if(TotalBytes > 104857600, "critical", if(TotalBytes > 52428800, "high", "medium"))
| table _timeslice, SourceIP, Image, TotalMB, Connections, UniqueHosts, risk
| sort by TotalMB desc

high severity medium confidence

Data Sources

Network Flow via Sumo Logic Windows Sysmon Network Events

Required Tables

network/flow windows/sysmon

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS

Google Chronicle / SecOps

yaral

rule cloud_storage_exfiltration {
  meta:
    author = "Detection Engineering"
    description = "Detects exfiltration to cloud storage (T1567.002)"
    severity = "HIGH"
    tactic = "TA0010"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    re.regex($e.target.hostname, `(?i)(dropbox\.com|googleapis\.com|onedrive|box\.com|mega\.nz|wetransfer|mediafire|gofile\.io)`) nocase
    $e.network.sent_bytes > 10485760
    not re.regex($e.principal.process.file.full_path, `(?i)(OneDrive|googledrive|dropbox|backup)`) nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

Network Events via Chronicle UDM

Required Tables

NETWORK_CONNECTION

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemoteAddressIP4 != null
| RemotePort IN ("80","443")
| ContextBaseFileName != /(OneDrive|GoogleDrive|dropbox|backup)/i
| stats sum(BytesOut) as TotalBytes, count() as Connections by ContextBaseFileName, RemoteAddressIP4, span(timestamp, 1h)
| where TotalBytes > 10485760
| eval TotalMB = round(TotalBytes / 1048576, 2)
| eval risk = if(TotalBytes > 104857600, "critical", "high")
| table timestamp, ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4, TotalMB, Connections, risk
| sort by TotalMB desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Network Events

Required Tables

NetworkConnectIP4

False Positives

OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS

Exfiltration to Cloud Storage

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Exfiltration

Popular Detections