Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1567.002 | Exfiltration to Cloud Storage | |
| AC-4 | Information Flow Enforcement | Protects | T1567.002 | Exfiltration to Cloud Storage | |
| SC-7 | Boundary Protection | Protects | T1567.002 | Exfiltration to Cloud Storage |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1567.002 | Exfiltration to Cloud Storage |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1567.002 | Exfiltration to Cloud Storage |
Comments
This control can identify large volume potential exfiltration activity.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1567.002 | Exfiltration to Cloud Storage |
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
|