Technique on mitre.org

T1537: Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of AWS CloudTrail events PutBucketLogging, PutBucketWebsite, PutEncryptionConfiguration, PutLifecycleConfiguration, PutReplicationConfiguration, ReplicateObject, RestoreObject, and ModifySnapshotAttribute (event source is ec2.amazonaws.com), CreateInstanceExportTask (event source is ec2.amazonaws.com) where errorMessage/errorCode contains the * symbol and responseElements contains 'Failure'.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0010	Data source and component	Cloud Storage: Cloud Storage Modification	Description	Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs.

ID	DS0020	Data source and component	Snapshot: Snapshot Creation	Description	Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

ID	DS0020	Data source and component	Snapshot: Snapshot Modification	Description	Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor logs for SaaS applications to detect instances of data being shared inappropriately. For example, in Microsoft 365, file sharing events will appear in Audit logs under the event names `SharingInvitationCreated`, `AnonymousLinkCreated`, `SecureLinkCreated`, or `AddedToSecureLink`, with `TargetUserOrGroupType` being `Guest.` In Google Workspace, externally shared files will have a `Visibility` property of `Shared externally` in the Drive audit logs.

ID	DS0010	Data source and component	Cloud Storage: Cloud Storage Metadata	Description	Periodically baseline cloud storage infrastructure to identify malicious modifications or additions.

ID	DS0020	Data source and component	Snapshot: Snapshot Metadata	Description	Periodically baseline snapshots to identify malicious modifications or additions.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous internal traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.

ID	DS0010	Data source and component	Cloud Storage: Cloud Storage Creation	Description	Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

ID	Data source and component	Description
DS0010	Cloud Storage: Cloud Storage Modification	Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs.
DS0020	Snapshot: Snapshot Creation	Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.
DS0020	Snapshot: Snapshot Modification	Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs.
DS0015	Application Log: Application Log Content	Monitor logs for SaaS applications to detect instances of data being shared inappropriately. For example, in Microsoft 365, file sharing events will appear in Audit logs under the event names `SharingInvitationCreated`, `AnonymousLinkCreated`, `SecureLinkCreated`, or `AddedToSecureLink`, with `TargetUserOrGroupType` being `Guest.` In Google Workspace, externally shared files will have a `Visibility` property of `Shared externally` in the Drive audit logs.
DS0010	Cloud Storage: Cloud Storage Metadata	Periodically baseline cloud storage infrastructure to identify malicious modifications or additions.
DS0020	Snapshot: Snapshot Metadata	Periodically baseline snapshots to identify malicious modifications or additions.
DS0029	Network Traffic: Network Traffic Content	Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous internal traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.
DS0010	Cloud Storage: Cloud Storage Creation	Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Mitigation

ID	M1057	Name	Data Loss Prevention	Description	Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.

ID	M1054	Name	Software Configuration	Description	Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.

ID	M1037	Name	Filter Network Traffic	Description	Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs.

ID	M1018	Name	User Account Management	Description	Limit user account and IAM policies to the least privileges required.

ID	Name	Description
M1057	Data Loss Prevention	Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.
M1054	Software Configuration	Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.
M1037	Filter Network Traffic	Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs.
M1018	User Account Management	Limit user account and IAM policies to the least privileges required.