Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.[1]

Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.[2]

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[3]

ID: T1537
Sub-techniques:  No sub-techniques
Tactic: Exfiltration
Platforms: Google Workspace, IaaS, Office 365, SaaS
Contributors: Darin Smith, Cisco; ExtraHop; Gabriel Currie; Praetorian
Version: 1.4
Created: 30 August 2019
Last Modified: 11 April 2024

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.[4] [5]

M1037 Filter Network Traffic

Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs.

M1054 Software Configuration

Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.[6] [7]

M1018 User Account Management

Limit user account and IAM policies to the least privileges required.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor logs for SaaS applications to detect instances of data being shared inappropriately. For example, in Microsoft 365, file sharing events will appear in Audit logs under the event names SharingInvitationCreated, AnonymousLinkCreated, SecureLinkCreated, or AddedToSecureLink, with TargetUserOrGroupType being Guest.[8] In Google Workspace, externally shared files will have a Visibility property of Shared externally in the Drive audit logs.[9]

DS0010 Cloud Storage Cloud Storage Creation

Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Cloud Storage Metadata

Periodically baseline cloud storage infrastructure to identify malicious modifications or additions.

Cloud Storage Modification

Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs.

DS0029 Network Traffic Network Traffic Content

Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous internal traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.

DS0020 Snapshot Snapshot Creation

Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Snapshot Metadata

Periodically baseline snapshots to identify malicious modifications or additions.

Snapshot Modification

Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs.

References