Detect Data Exfiltration via Cloud Storage Services in IBM QRadar
Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
hostname AS Hostname,
username AS User,
"Process Name" AS ProcessName,
"Command Line" AS CommandLine,
LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
CATEGORYNAME(category) AS EventCategory,
CASE
WHEN LOWER("Process Name") LIKE '%rclone.exe%' THEN 85
WHEN LOWER("Process Name") LIKE '%azcopy.exe%' THEN 80
ELSE 70
END AS RiskScore,
CASE
WHEN LOWER("Process Name") LIKE '%rclone.exe%' THEN 'Exfil_Rclone'
WHEN LOWER("Process Name") LIKE '%azcopy.exe%' THEN 'Exfil_AzCopy'
ELSE 'Exfil_CloudStorage'
END AS ThreatType
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
LOWER("Process Name") LIKE '%rclone.exe%'
OR (
LOWER("Process Name") LIKE '%azcopy.exe%'
AND (
LOWER("Command Line") LIKE '%blob.core.windows.net%'
OR LOWER("Command Line") LIKE '%file.core.windows.net%'
OR LOWER("Command Line") LIKE '%queue.core.windows.net%'
)
)
OR (
(
LOWER("Process Name") LIKE '%powershell.exe%'
OR LOWER("Process Name") LIKE '%pwsh.exe%'
OR LOWER("Process Name") LIKE '%curl.exe%'
OR LOWER("Process Name") LIKE '%wscript.exe%'
)
AND (
LOWER("Command Line") LIKE '%mega.nz%'
OR LOWER("Command Line") LIKE '%mega.io%'
OR LOWER("Command Line") LIKE '%dropbox.com%'
OR LOWER("Command Line") LIKE '%dropboxapi.com%'
OR LOWER("Command Line") LIKE '%transfer.sh%'
OR LOWER("Command Line") LIKE '%gofile.io%'
OR LOWER("Command Line") LIKE '%box.com%'
OR LOWER("Command Line") LIKE '%box.net%'
OR LOWER("Command Line") LIKE '%drive.google.com%'
OR LOWER("Command Line") LIKE '%onedrive.live.com%'
OR LOWER("Command Line") LIKE '%sharefile.com%'
OR LOWER("Command Line") LIKE '%sendspace.com%'
OR LOWER("Command Line") LIKE '%filebin.net%'
OR LOWER("Command Line") LIKE '%anonfiles.com%'
)
)
)
AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 500QRadar AQL query detecting cloud storage data exfiltration by monitoring process creation events from Windows Security Event Log and Sysmon log sources. Identifies rclone.exe execution (risk 85), AzCopy targeting external Azure storage endpoints (risk 80), and scripting engines (PowerShell, curl) referencing known cloud storage and anonymous file-sharing domains (risk 70). Requires WinCollect or a Universal DSM configured to extract the 'Process Name' and 'Command Line' custom event properties.
Data Sources
Required Tables
False Positives & Tuning
- Approved cloud migration projects: IT operations teams running rclone under authorized service accounts for scheduled data migrations — validate against open ITSM change records, whitelist the specific service account usernames in a QRadar reference set, and add a building-block exclusion rule
- Azure CI/CD pipeline agents: AzCopy executed by Azure DevOps or Jenkins build agents for deploying artifacts to corporate-owned Azure Blob Storage — populate a QRadar reference set with authorized Azure storage account FQDNs and exclude matching Command Line values from the alert rule
- Corporate sanctioned SaaS: employees syncing files via Dropbox Business or Box Enterprise as approved productivity tools — suppress by cross-referencing the Process Name with a QRadar reference table of approved sync client executables and alert only on volume outliers
Other platforms for THREAT-CloudStorage-DataExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Cloud Exfiltration via rclone to Mega
Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.
Unlock Pro Content
Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.