T1567.002 Exfiltration to Cloud Storage

The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Microsoft Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.

Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.

Cloud Endpoints can place restrictions on which apps can be installed and accessed on enrolled devices, preventing exfiltration of sensitive information from compromised endpoints to cloud storage.

Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell). Although there are multiple ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved to a cloud storage (e.g., Google Drive). This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.

The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual

This control can identify large volume potential exfiltration activity.

This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)