Esc
Exfiltration to Cloud Storage - T1567.002
(ATT&CK® Technique)
Definition
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1567002["Exfiltration to Cloud Storage"] --> |produces| OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"]; class T1567002 OffensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode; click OutboundInternetEncryptedWebTraffic href "../../../dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";
click T1567002 href "../../../offensive-technique/attack/T1567.002/"; click OutboundInternetEncryptedWebTraffic href "../../../dao/artifact/d3f:OutboundInternetEncryptedWebTraffic"; T1567002["Exfiltration to Cloud Storage"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1567002 OffensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "../../../dao/artifact/d3f:OutboundInternetWebTraffic";
click T1567002 href "../../../offensive-technique/attack/T1567.002/"; click OutboundInternetWebTraffic href "../../../dao/artifact/d3f:OutboundInternetWebTraffic"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click RelayPatternAnalysis href "../../../technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RelayPatternAnalysis href "../../../technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1567002["Exfiltration to Cloud Storage"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1567002["Exfiltration to Cloud Storage"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1567002["Exfiltration to Cloud Storage"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetEncryptedWebTraffic ArtifactNode;
click OutboundTrafficFiltering href "../../../technique/d3f:OutboundTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click OutboundTrafficFiltering href "../../../technique/d3f:OutboundTrafficFiltering";