title: Exfiltration to Cloud Storage (T1567.002)
id: df00tech-t1567-002
status: experimental
description: "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services such as Dropbox, Google Drive, OneDrive, MEGA, and Amazon S3 allow storage and retrieval of data over the Internet. Exfiltration to these services can blend with legitimate enterprise traffic, providing significant cover. Real-world threat actors including Akira, Leviathan, POLONIUM, LuminousMoth, Mustang Panda, and Kimsuky have all leveraged cloud storage for data theft. Rclone is the most commonly observed tool, used by multiple ransomware and espionage groups to automate bulk transfers to attacker-controlled cloud accounts."
references:
  - https://attack.mitre.org/techniques/T1567/002/
  - https://df00tech.com/detections/T1567.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1567.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "OneDrive, Google Drive, and Dropbox desktop sync clients generating large uploads during normal backup or file sync operations"
  - "DevOps pipelines using rclone, azcopy, or gsutil for legitimate CI/CD artifact uploads to cloud storage"
  - "Backup software (Veeam, Acronis, BackBlaze) transferring large volumes to cloud-hosted S3-compatible backends"
  - Data engineering workflows using gsutil or AWS CLI to transfer datasets between cloud and on-premise environments
  - Security tools performing cloud storage integrity checks or automated threat intelligence feeds pulling from S3/GCS
level: high