DC0025 Cloud Storage Access

Log Sources

Name	Channel
AWS:CloudTrail	GetObject, CopyObject
AWS:CloudTrail	PutObject: S3 writes with .sql/.csv extension by same identity or within 5 min of DB access
gcp:workspaceaudit	download, authorization_grant
m365:sharepoint	AnonymousLinkCreated, FileDownloaded
m365:unified	Accessed SharePoint files or pages
m365:unified	FileAccessed, FileDownloaded, ConsentGranted
m365:unified	App-only or delegated access patterns where client_id != known enterprise apps
saas:github	Artifact generated includes base64/encoded exfil payload or URL

ID	Name	Technique Detected
DET0413	Abuse of Information Repositories for Data Collection	T1213
DET0590	Behavioral Detection of External Website Defacement across Platforms	T1491.002
DET0131	Behavioral Detection Strategy for Exfiltration Over Alternative Protocol	T1048
DET0238	Defacement via File and Web Content Modification Across Platforms	T1491
DET0014	Detection of Data Staging Prior to Exfiltration	T1074
DET0071	Detection of Remote Data Staging Prior to Exfiltration	T1074.002
DET0578	Detection Strategy for Cloud Storage Object Discovery	T1619
DET0533	Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows	T1677
DET0515	Detection Strategy for T1528 - Steal Application Access Token	T1528
DET0484	Multi-Platform Cloud Storage Exfiltration Behavior Chain	T1530
DET0242	Suspicious Database Access and Dump Activity Across Environments (T1213.006)	T1213.006