Skip to content

DET0570 Detection Strategy for Exfiltration to Cloud Storage

Item Value
ID DET0570
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1567.002 (Exfiltration to Cloud Storage)

Analytics

Windows

AN1571

Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
CloudStorageDomains List of monitored domains for cloud services (dropbox.com, drive.google.com, onedrive.live.com).
ExfilVolumeThreshold Data volume threshold (e.g., >10MB in single session) used to flag abnormal transfers.
UserContext User accounts permitted to use sanctioned cloud services versus unexpected accounts.

Linux

AN1572

Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE curl -T, rclone copy
File Access (DC0055) auditd:SYSCALL read/open of sensitive file directories
Network Traffic Flow (DC0078) NSM:Flow large HTTPS outbound uploads
Mutable Elements
Field Description
AllowedTools Known tools used legitimately for backups (rclone, gsutil). Deviations raise suspicion.
WorkHours Baseline normal data transfer hours to reduce false positives.

macOS

AN1573

Applications or scripts invoking cloud storage APIs (Dropbox sync, iCloud, Google Drive client) in unexpected contexts. Defender perspective: detect sensitive file reads by non-standard applications followed by unusual encrypted uploads to external cloud storage domains.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog execution of curl, rclone, or Office apps invoking network sessions
File Access (DC0055) macos:unifiedlog file read of sensitive directories
Network Traffic Content (DC0085) macos:unifiedlog outbound HTTPS connections to cloud storage APIs
Mutable Elements
Field Description
WatchedApps Track processes that normally should not upload data (e.g., Preview, Calculator).
EntropyThreshold High-entropy file uploads may indicate encrypted payloads designed for exfiltration.

ESXi

AN1574

Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services.

Log Sources
Data Component Name Channel
File Access (DC0055) esxi:hostd datastore file access
Network Traffic Flow (DC0078) esxi:vmkernel network flows to external cloud services
Mutable Elements
Field Description
DatastoreTransferThreshold Threshold for outbound data exfiltration from ESXi datastore files.
ApprovedStorageServices Whitelist of sanctioned storage providers used by admins for backup operations.