T1537: Transfer Data to Cloud Account
| View on MITRE ATT&CK | T1537 |
|---|---|
| Tactic(s) | Exfiltration |
Data from MITRE ATT&CK®:
Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.
A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.
Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Password Policies
Set and enforce secure password policies for accounts.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.How to detect this technique
MITRE ATT&CK Data Components
Cloud Storage Metadata (Cloud Storage)
Contextual data about cloud storage infrastructure and activity around it such as name, size, or ownerCloud Storage Modification (Cloud Storage)
Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Snapshot Modification (Snapshot)
Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)Cloud Storage Creation (Cloud Storage)
Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)Snapshot Metadata (Snapshot)
Contextual data about a snapshot, which may include information such as ID, type, and statusSnapshot Creation (Snapshot)
Initial construction of a new snapshot (ex: AWS create-snapshot)Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.