Detect Exfiltration to Cloud Storage in Sumo Logic CSE
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services such as Dropbox, Google Drive, OneDrive, MEGA, and Amazon S3 allow storage and retrieval of data over the Internet. Exfiltration to these services can blend with legitimate enterprise traffic, providing significant cover. Real-world threat actors including Akira, Leviathan, POLONIUM, LuminousMoth, Mustang Panda, and Kimsuky have all leveraged cloud storage for data theft. Rclone is the most commonly observed tool, used by multiple ransomware and espionage groups to automate bulk transfers to attacker-controlled cloud accounts.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.002 Exfiltration to Cloud Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1567/002/
Sumo Detection Query
_sourceCategory=network/flow OR _sourceCategory=windows/sysmon
| json auto
| where Direction == "outbound" OR EventID == "3"
| eval hostname = toLower(coalesce(DestinationHostname, DestinationIp, ""))
| where hostname matches ".*(dropbox|googleapis|onedrive|sharepoint|box\.com|mega\.nz|wetransfer|mediafire|gofile|anonfiles).*"
| eval ImageLower = toLower(coalesce(Image,""))
| where !ImageLower matches ".*(onedrive|googledrive|dropbox|backup|agent).*"
| timeslice 1h
| stats sum(BytesSent) as TotalBytes, count() as Connections, dcount(DestinationHostname) as UniqueHosts
by SourceIP, Image, _timeslice
| where TotalBytes > 10485760
| eval TotalMB = round(TotalBytes / 1048576, 2)
| eval risk = if(TotalBytes > 104857600, "critical", if(TotalBytes > 52428800, "high", "medium"))
| table _timeslice, SourceIP, Image, TotalMB, Connections, UniqueHosts, risk
| sort by TotalMB descDetects large data transfers to cloud storage providers in Sumo Logic with volume thresholds.
Data Sources
Required Tables
False Positives & Tuning
- OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations
- DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage
- Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends
- Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
- Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS
Other platforms for T1567.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rclone Exfiltration to Dropbox (Simulated with Local Filesystem Remote)
Expected signal: Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'copy' and the source path. A second Event ID 1 for the 'rclone config create' invocation with 'localtest local' arguments. Security Event ID 4688 if command line auditing is enabled.
- Test 2curl Upload to Cloud Storage API Endpoint
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'content.dropboxapi.com', '-X POST', and '--data-binary'. Sysmon Event ID 3: Network Connection attempted to content.dropboxapi.com:443. The connection will fail due to invalid token but process and network events are generated.
- Test 3PowerShell Upload to OneDrive Graph API
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'graph.microsoft.com', 'Invoke-RestMethod', 'PUT', and 'content'. Sysmon Event ID 3: Network Connection to graph.microsoft.com:443. PowerShell ScriptBlock Log Event ID 4104 with the full upload script.
- Test 4Rclone Configuration File Drop and Cloud Remote Enumeration
Expected signal: Sysmon Event ID 11: File Create for %APPDATA%\rclone\rclone.conf. Sysmon Event ID 1: Process Create with Image=rclone.exe, CommandLine containing 'listremotes' and '--config'. Security Event ID 4688 (if enabled) capturing the rclone invocation. The rclone.conf file creation event is a high-fidelity indicator per the hunting query targeting this artifact.
References (12)
- https://attack.mitre.org/techniques/T1567/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md
- https://rclone.org/docs/
- https://www.secureworks.com/research/gold-sahara
- https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-LuminousMoth-creat5540-en-EN.pdf
- https://research.nccgroup.com/2021/06/15/responding-to-ransomware-rclone-and-the-many-flavors-of-data-exfiltration/
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://learn.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy
- https://unit42.paloaltonetworks.com/stately-taurus-targets-myanmar-government/
- https://www.cisa.gov/sites/default/files/publications/AA21-291A.pdf
Unlock Pro Content
Get the full detection package for T1567.002 including response playbook, investigation guide, and atomic red team tests.