THREAT-CloudStorage-DataExfil

Data Exfiltration via Cloud Storage Services

Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).

Microsoft Sentinel / Defender

kusto

// THREAT: Data Exfiltration via Cloud Storage
// Detects use of rclone, AzCopy, and cloud storage APIs for data exfiltration

// Alert 1: rclone execution (major exfiltration tool for ransomware groups)
let RcloneIndicators = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rclone.exe"
    or ProcessCommandLine has_any ("rclone", "rclone.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, FolderPath
| extend ThreatType = "Exfil_Rclone"
| extend RiskScore = 85;
// Alert 2: AzCopy with external Azure storage accounts
let AzCopyExternal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "azcopy.exe" or FileName =~ "azcopy"
| where ProcessCommandLine has_any (
    "blob.core.windows.net", "file.core.windows.net",
    "queue.core.windows.net"
  )
// Exclude known corporate storage accounts
| where ProcessCommandLine !has "<YOUR_CORPORATE_STORAGE_ACCOUNT>"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| extend ThreatType = "Exfil_AzCopy_External"
| extend RiskScore = 80;
// Alert 3: Large data upload to cloud storage (network telemetry)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType =~ "ConnectionSuccess"
| where RemoteUrl has_any (
    "mega.nz", "mega.io",
    "dropbox.com", "dropboxapi.com",
    "box.com", "box.net",
    "onedrive.live.com", "1drv.ms",
    "sharefile.com", "drive.google.com",
    "sendspace.com", "filebin.net",
    "transfer.sh", "gofile.io", "anonfiles.com"
  ) or RemoteUrl matches regex @"[a-z0-9]{5,}\.blob\.core\.windows\.net"
| summarize
    Connections=count(),
    BytesSent=sum(SentBytes),
    Domains=make_set(RemoteUrl)
  by DeviceName, AccountName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where BytesSent > 100000000  // 100MB threshold
| extend ThreatType = "Exfil_LargeCloudUpload"
| extend RiskScore = 70;
union RcloneIndicators, AzCopyExternal
| sort by RiskScore desc, Timestamp desc

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceNetworkEvents) Sysmon Event ID 1, 3 Proxy/web gateway logs Network flow data (NetFlow/IPFIX)

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate rclone use by system administrators for cloud backup operations (should be documented and excluded by account name)
Corporate AzCopy scripts synchronising data with legitimate company Azure storage accounts
Users with business accounts for Dropbox or Box uploading work files (OneDrive and Box are commonly used for business)
Large legitimate data transfers to authorised cloud archival storage

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
    hostname AS Hostname,
    username AS User,
    "Process Name" AS ProcessName,
    "Command Line" AS CommandLine,
    LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
    CATEGORYNAME(category) AS EventCategory,
    CASE
        WHEN LOWER("Process Name") LIKE '%rclone.exe%' THEN 85
        WHEN LOWER("Process Name") LIKE '%azcopy.exe%' THEN 80
        ELSE 70
    END AS RiskScore,
    CASE
        WHEN LOWER("Process Name") LIKE '%rclone.exe%' THEN 'Exfil_Rclone'
        WHEN LOWER("Process Name") LIKE '%azcopy.exe%' THEN 'Exfil_AzCopy'
        ELSE 'Exfil_CloudStorage'
    END AS ThreatType
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("Process Name") LIKE '%rclone.exe%'
    OR (
        LOWER("Process Name") LIKE '%azcopy.exe%'
        AND (
            LOWER("Command Line") LIKE '%blob.core.windows.net%'
            OR LOWER("Command Line") LIKE '%file.core.windows.net%'
            OR LOWER("Command Line") LIKE '%queue.core.windows.net%'
        )
    )
    OR (
        (
            LOWER("Process Name") LIKE '%powershell.exe%'
            OR LOWER("Process Name") LIKE '%pwsh.exe%'
            OR LOWER("Process Name") LIKE '%curl.exe%'
            OR LOWER("Process Name") LIKE '%wscript.exe%'
        )
        AND (
            LOWER("Command Line") LIKE '%mega.nz%'
            OR LOWER("Command Line") LIKE '%mega.io%'
            OR LOWER("Command Line") LIKE '%dropbox.com%'
            OR LOWER("Command Line") LIKE '%dropboxapi.com%'
            OR LOWER("Command Line") LIKE '%transfer.sh%'
            OR LOWER("Command Line") LIKE '%gofile.io%'
            OR LOWER("Command Line") LIKE '%box.com%'
            OR LOWER("Command Line") LIKE '%box.net%'
            OR LOWER("Command Line") LIKE '%drive.google.com%'
            OR LOWER("Command Line") LIKE '%onedrive.live.com%'
            OR LOWER("Command Line") LIKE '%sharefile.com%'
            OR LOWER("Command Line") LIKE '%sendspace.com%'
            OR LOWER("Command Line") LIKE '%filebin.net%'
            OR LOWER("Command Line") LIKE '%anonfiles.com%'
        )
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 500

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log (via WinCollect) Sysmon Events (via WinCollect or Universal DSM)

Required Tables

events

False Positives

Approved cloud migration projects: IT operations teams running rclone under authorized service accounts for scheduled data migrations — validate against open ITSM change records, whitelist the specific service account usernames in a QRadar reference set, and add a building-block exclusion rule
Azure CI/CD pipeline agents: AzCopy executed by Azure DevOps or Jenkins build agents for deploying artifacts to corporate-owned Azure Blob Storage — populate a QRadar reference set with authorized Azure storage account FQDNs and exclude matching Command Line values from the alert rule
Corporate sanctioned SaaS: employees syncing files via Dropbox Business or Box Enterprise as approved productivity tools — suppress by cross-referencing the Process Name with a QRadar reference table of approved sync client executables and alert only on volume outliers

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/windows/sysmon") EventCode=1
| where (Image matches "*rclone.exe")
    OR (Image matches "*azcopy.exe" AND (
        CommandLine matches "*blob.core.windows.net*"
        OR CommandLine matches "*file.core.windows.net*"
        OR CommandLine matches "*queue.core.windows.net*"
    ))
    OR (
        (Image matches "*powershell.exe" OR Image matches "*pwsh.exe"
            OR Image matches "*curl.exe" OR Image matches "*wscript.exe")
        AND (
            CommandLine matches "*mega.nz*"
            OR CommandLine matches "*mega.io*"
            OR CommandLine matches "*dropbox.com*"
            OR CommandLine matches "*dropboxapi.com*"
            OR CommandLine matches "*transfer.sh*"
            OR CommandLine matches "*gofile.io*"
            OR CommandLine matches "*box.com*"
            OR CommandLine matches "*box.net*"
            OR CommandLine matches "*drive.google.com*"
            OR CommandLine matches "*onedrive.live.com*"
            OR CommandLine matches "*sharefile.com*"
            OR CommandLine matches "*sendspace.com*"
            OR CommandLine matches "*filebin.net*"
            OR CommandLine matches "*anonfiles.com*"
        )
    )
| eval ThreatType = if(Image matches "*rclone*", "Exfil_Rclone",
    if(Image matches "*azcopy*", "Exfil_AzCopy", "Exfil_CloudStorage"))
| eval RiskScore = if(ThreatType == "Exfil_Rclone", 85,
    if(ThreatType == "Exfil_AzCopy", 80, 70))
| stats count AS Events, values(CommandLine) AS CommandLines, max(RiskScore) AS MaxRisk
    BY ComputerName, User, Image, ThreatType
| sort BY MaxRisk desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (via Sumo Logic Installed Collector) Sumo Logic Endpoint Source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Approved IT backup or archival jobs: rclone scheduled tasks run under a service account for authorized cloud-to-cloud archival — suppress by adding the backup service account username to a Sumo Logic lookup table and filtering it from results with a join or where clause
Development and test environments: AzCopy used interactively by developers targeting Azure dev/staging storage accounts — maintain a Sumo Logic lookup of non-production storage account subdomains and exclude matching CommandLine values to avoid alert fatigue
Sanctioned cloud productivity tools: corporate Dropbox Business or Box Enterprise background sync processes generating recurring process creation events — baseline per-user event frequency with a timeslice comparison and alert only on deviations of 3x or more above the 30-day average

Google Chronicle / SecOps

yaral

rule cloud_storage_data_exfiltration {
  meta:
    author = "df00tech"
    description = "Detects data exfiltration via rclone, AzCopy, and cloud storage API abuse from scripting engines"
    severity = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1567.002"
    threat_actors = "Scattered Spider, Akira, Black Basta, Lazarus"
    reference = "https://attack.mitre.org/techniques/T1567/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)rclone\.exe`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)azcopy\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(blob|file|queue)\.core\.windows\.net`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|curl|wscript|cscript)\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(mega\.nz|mega\.io|dropbox\.com|dropboxapi\.com|transfer\.sh|gofile\.io|box\.com|box\.net|drive\.google\.com|onedrive\.live\.com|sharefile\.com|sendspace\.com|filebin\.net|anonfiles\.com)`)
      )
    )
    $hostname = $e.principal.hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) Chronicle Forwarder (Windows Events) Google Cloud Endpoint Agent

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Authorized cloud-to-cloud migrations: IT teams using rclone under approved service accounts for scheduled data migrations — maintain a Chronicle reference list of authorized migration service account principal.user.userid values and add a NOT $e.principal.user.userid in %authorized_migration_accounts exclusion to the events block
Azure infrastructure automation: operations or platform engineering teams running AzCopy for Blob Storage management tasks — build a Chronicle reference list of corporate Azure storage account FQDNs and add NOT re.regex($e.target.process.command_line, %corp_storage_accounts) to suppress known-good invocations
Sanctioned enterprise file-sharing clients: Google Drive, OneDrive, or Dropbox for Business background sync processes running under standard user accounts — supplement the rule with a condition block counting events per principal.hostname over a time window and tuning on volume rather than presence to avoid suppressing legitimate single-event occurrences

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)rclone\.exe$/
  OR (ImageFileName=/(?i)azcopy\.exe$/ AND CommandLine=/(?i)(blob|file|queue)\.core\.windows\.net/)
  OR (ImageFileName=/(?i)(powershell|pwsh|curl|wscript|cscript)\.exe$/
      AND CommandLine=/(?i)(mega\.nz|mega\.io|dropbox\.com|dropboxapi\.com|transfer\.sh|gofile\.io|box\.com|box\.net|drive\.google\.com|onedrive\.live\.com|sharefile\.com|sendspace\.com|filebin\.net|anonfiles\.com)/)
| ThreatType := case {
    ImageFileName=/(?i)rclone/ => "Exfil_Rclone";
    ImageFileName=/(?i)azcopy/ => "Exfil_AzCopy";
    * => "Exfil_CloudStorage"
  }
| RiskScore := case {
    ThreatType = "Exfil_Rclone" => 85;
    ThreatType = "Exfil_AzCopy" => 80;
    * => 70
  }
| groupBy(
    [ComputerName, UserName, ImageFileName, ThreatType],
    function=[
      count(as=EventCount),
      max(field=RiskScore, as=MaxRisk),
      collect(CommandLine, limit=10)
    ]
  )
| sort(field=MaxRisk, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike LogScale Falcon ProcessRollup2 Telemetry

Required Tables

ProcessRollup2

False Positives

Authorized data migration service accounts: infrastructure teams running rclone under named service accounts for approved cloud migrations — tag the source hosts with a Falcon host group (e.g., 'authorized-migration-hosts') and add a NOT ComputerName in authorized_migration_hosts filter before the groupBy to suppress known-good systems
Azure DevOps or GitHub Actions build agents: AzCopy executed by CI/CD runners for artifact deployment to Azure Blob Storage — use Falcon host tags to identify pipeline runner systems and exclude their ComputerName values, while retaining events in a lower-priority audit groupBy for compliance logging
Desktop sync client background processes: Dropbox, Box, or OneDrive sync daemons spawning curl or PowerShell subprocesses for authentication and sync operations — inspect the ParentBaseFileName field to distinguish sync daemon child processes from user-initiated or script-driven executions, and add ParentBaseFileName NOT IN ('Dropbox.exe', 'Box.exe', 'OneDrive.exe') to the filter

Last updated: 2026-04-24 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Exfiltration via Cloud Storage Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Exfiltration

Popular Detections