|T1567.001||Exfiltration to Code Repository|
|T1567.002||Exfiltration to Cloud Storage|
|T1567.003||Exfiltration to Text Storage Sites|
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
BoomBox can upload data to dedicated per-victim folders in Dropbox.
BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.
During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command
Chimera has exfiltrated stolen data to OneDrive accounts.
Clambling can send files from a victim's machine to Dropbox.
Confucius has exfiltrated victim data to cloud storage service accounts.
CreepyDrive can use cloud services including OneDrive for data exfiltration.
Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.
FIN7 has exfiltrated stolen data to the MEGA file sharing site.
HAFNIUM has exfiltrated data to file sharing sites, including MEGA.
HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.
HEXANE has used cloud services, including OneDrive, for data exfiltration.
Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.
Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.
LuminousMoth has exfiltrated data to Google Drive.
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.
POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.
RainyDay can use a file exfiltration tool to upload specific files to Dropbox.
Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.
ROKRAT can send collected data to cloud storage services such as PCloud.
Threat Group-3390 has exfiltrated stolen data to Dropbox.
Turla has used WebDAV to upload stolen USB files to a cloud drive. Turla has also exfiltrated stolen files to OneDrive and 4shared.
|M1021||Restrict Web-Based Content||
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.
Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections to cloud services associated with abnormal or non-browser processes.
|Network Traffic Content||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
|Network Traffic Flow||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.