T1537 Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)

Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1537 Transfer Data to Cloud Account
CM-06 Configuration Settings mitigates T1537 Transfer Data to Cloud Account
CM-05 Access Restrictions for Change mitigates T1537 Transfer Data to Cloud Account
AC-17 Remote Access mitigates T1537 Transfer Data to Cloud Account
IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1537 Transfer Data to Cloud Account
IA-04 Identifier Management mitigates T1537 Transfer Data to Cloud Account
IA-03 Device Identification and Authentication mitigates T1537 Transfer Data to Cloud Account
SI-10 Information Input Validation mitigates T1537 Transfer Data to Cloud Account
SI-15 Information Output Filtering mitigates T1537 Transfer Data to Cloud Account
AC-16 Security and Privacy Attributes mitigates T1537 Transfer Data to Cloud Account
AC-20 Use of External Systems mitigates T1537 Transfer Data to Cloud Account
IA-02 Identification and Authentication (Organizational Users) mitigates T1537 Transfer Data to Cloud Account
CM-07 Least Functionality mitigates T1537 Transfer Data to Cloud Account
SI-04 System Monitoring mitigates T1537 Transfer Data to Cloud Account
AC-02 Account Management mitigates T1537 Transfer Data to Cloud Account
AC-03 Access Enforcement mitigates T1537 Transfer Data to Cloud Account
AC-04 Information Flow Enforcement mitigates T1537 Transfer Data to Cloud Account
AC-05 Separation of Duties mitigates T1537 Transfer Data to Cloud Account
AC-06 Least Privilege mitigates T1537 Transfer Data to Cloud Account
SC-07 Boundary Protection mitigates T1537 Transfer Data to Cloud Account

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account
attribute.confidentiality.data_disclosure None related-to T1537 Transfer Data to Cloud Account

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
defender_for_storage Microsoft Defender for Cloud: Defender for Storage technique_scores T1537 Transfer Data to Cloud Account
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
azure_policy Azure Policy technique_scores T1537 Transfer Data to Cloud Account
Comments
This control may provide recommendations to enable security controls that monitor and prevent malicious transfer of data to cloud accounts.
References

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
vpc_service_controls VPC Service Controls technique_scores T1537 Transfer Data to Cloud Account
Comments
This control may mitigate against exfiltration attempts to external cloud accounts by limiting egress of data from accounts and services contained within the VPC network perimeter.
References