Technique on mitre.org

T1567.002: Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

microsoft_sharepoint: PT-CR-2111: Sharepoint_Critical_Data_Manipulation: An action with a critical file is performed

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections to cloud services associated with abnormal or non-browser processes.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for cloud storages for data exfiltration.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections to cloud services associated with abnormal or non-browser processes.
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for cloud storages for data exfiltration.
DS0022	File: File Access	Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

Mitigation

ID	M1021	Name	Restrict Web-Based Content	Description	Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

ID	Name	Description
M1021	Restrict Web-Based Content	Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.