THREAT-CloudStorage-DataExfil Splunk · SPL

Detect Data Exfiltration via Cloud Storage Services in Splunk

Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  Image="*\\rclone.exe"
  OR (Image="*\\azcopy.exe" AND (CommandLine="*blob.core.windows.net*" OR CommandLine="*file.core.windows.net*"))
  OR (Image IN ("*\\curl.exe","*\\powershell.exe","*\\pwsh.exe")
      AND (CommandLine="*mega.nz*" OR CommandLine="*dropbox.com*" OR
           CommandLine="*transfer.sh*" OR CommandLine="*gofile.io*"))
)
| eval ThreatType=case(
    match(Image, "(?i)rclone"), "Exfil_Rclone",
    match(Image, "(?i)azcopy"), "Exfil_AzCopy",
    true(), "Exfil_CloudStorageUpload"
  )
| eval RiskScore=case(
    ThreatType="Exfil_Rclone", 85,
    ThreatType="Exfil_AzCopy", 80,
    true(), 70
  )
| eval ThreatActors="Scattered Spider, Akira, Black Basta, Lazarus"
| stats count AS Events, values(CommandLine) AS Commands, max(RiskScore) AS MaxRisk
  BY host, User, Image, _time span=1h
| sort - MaxRisk
critical severity high confidence

SPL detection for cloud storage exfiltration. Monitors Sysmon process creation for rclone, AzCopy with external storage URLs, and PowerShell/curl commands targeting known file hosting services.

Data Sources

Sysmon via Windows Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorised cloud backup scripts using rclone
  • AzCopy used by IT for legitimate Azure storage operations
Download portable Sigma rule (.yml)

Other platforms for THREAT-CloudStorage-DataExfil

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cloud Exfiltration via rclone to Mega

    Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567.002Exfiltration to Cloud Storage

Related Techniques

T1567.002Exfiltration to Cloud StorageT1048Exfiltration Over Alternative ProtocolT1005Data from Local SystemT1039Data from Network Shared DriveT1486Data Encrypted for Impact

Same Tactic: Exfiltration

Popular Detections