T1537 Transfer Data to Cloud Account Mappings

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)

Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1537 Transfer Data to Cloud Account
CM-06 Configuration Settings mitigates T1537 Transfer Data to Cloud Account
CM-05 Access Restrictions for Change mitigates T1537 Transfer Data to Cloud Account
AC-17 Remote Access mitigates T1537 Transfer Data to Cloud Account
IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1537 Transfer Data to Cloud Account
IA-04 Identifier Management mitigates T1537 Transfer Data to Cloud Account
IA-03 Device Identification and Authentication mitigates T1537 Transfer Data to Cloud Account
SI-10 Information Input Validation mitigates T1537 Transfer Data to Cloud Account
SI-15 Information Output Filtering mitigates T1537 Transfer Data to Cloud Account
AC-16 Security and Privacy Attributes mitigates T1537 Transfer Data to Cloud Account
AC-20 Use of External Systems mitigates T1537 Transfer Data to Cloud Account
IA-02 Identification and Authentication (Organizational Users) mitigates T1537 Transfer Data to Cloud Account
CM-07 Least Functionality mitigates T1537 Transfer Data to Cloud Account
SI-04 System Monitoring mitigates T1537 Transfer Data to Cloud Account
AC-02 Account Management mitigates T1537 Transfer Data to Cloud Account
AC-03 Access Enforcement mitigates T1537 Transfer Data to Cloud Account
AC-04 Information Flow Enforcement mitigates T1537 Transfer Data to Cloud Account
AC-05 Separation of Duties mitigates T1537 Transfer Data to Cloud Account
AC-06 Least Privilege mitigates T1537 Transfer Data to Cloud Account
SC-07 Boundary Protection mitigates T1537 Transfer Data to Cloud Account

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account
attribute.confidentiality.data_disclosure None related-to T1537 Transfer Data to Cloud Account

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
vpc_service_controls VPC Service Controls technique_scores T1537 Transfer Data to Cloud Account
Comments
This control may mitigate against exfiltration attempts to external cloud accounts by limiting egress of data from accounts and services contained within the VPC network perimeter.
References