Exfiltration Over Web Service: Exfiltration to Cloud Storage

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

ID: T1567.002
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Requires Network:  Yes
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
G0114 Chimera

Chimera has exfiltrated stolen data to OneDrive accounts.[1]

S0538 Crutch

Crutch has exfiltrated stolen data to Dropbox.[2]

S0363 Empire

Empire can use Dropbox for data exfiltration.[3]


HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[4]


HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.[5]

G0065 Leviathan

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[6][7]

G0010 Turla

Turla has used WebDAV to upload stolen USB files to a cloud drive.[8] Turla has also exfiltrated stolen files to OneDrive and 4shared.[9]


ZIRCONIUM has exfiltrated stolen data to Dropbox.[10]


ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.


Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.