MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Exfiltration/ T1567.002

T1567.002Exfiltration to Cloud Storage

T1567.002 — Exfiltration to Cloud Storage is a MITRE ATT&CK technique in the Exfiltration tactic. Clankerusecase tracks 29 detection use cases covering it and 21 threat-intel articles citing it.

Exfiltration

View on the matrix → Filter Detection Library MITRE official spec ↗

29Use cases

21Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1567 · Exfiltration Over Web Service

Use cases covering this technique (29)

Gsuite Drive Share In External Email ESCU actions · hunting P Cisco NVM - Rclone Execution With Network Activity ESCU actions · hunting P Windows Azure Storage Utility Execution Via CLI ESCU actions · hunting P Windows OneDrive Share Mounted via Net ESCU actions · hunting P Cisco Secure Firewall - Connection to File Sharing Domain ESCU actions · hunting P Cisco Secure Firewall - Potential Data Exfiltration ESCU actions · hunting P [LLM] AUR build process egress to temp.sh or github.com/fardewoak/nodejs-argo Bespoke c2 · alerting DSΣPDDCS [LLM] Atomic Arch: outbound HTTP upload to temp.sh from developer/build host Bespoke actions · alerting DSΣPDDCS [LLM] Atomic Arch — DNS resolution and HTTP POST to temp.sh from non-browser developer workstation process Bespoke c2 · alerting DSΣPDDCS [LLM] Multi-GB outbound transfer from single user to Tchap/Matrix endpoint (exfil volume) Bespoke actions · hunting DSPDDCS [LLM] Rclone exfiltration from Check Point VPN gateway or post-bypass internal host Bespoke actions · hunting DSΣPDDCSCW [LLM] Shai-Hulud worm GitHub Action workflow file dropped under .github/workflows Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud exfiltration: node.exe POSTs to api.github.com creating public repo Bespoke actions · hunting DSPDDCS [LLM] Megalodon harvester: curl POST to C2 /collect endpoint on Linux runner Bespoke actions · alerting DSΣPDDCS [LLM] Nx Console / Shai-Hulud C2 connection (t.m-kosche.com, check.git-service.com, filev2.getsession.org, api.masscan.cloud, 83.142.209.194) Bespoke c2 · alerting DSΣPDDCS [LLM] GitHub audit log bulk private-repo clone burst (post Nx Console compromise pattern) Bespoke actions · alerting DSPDD [LLM] GraphWorm OneDrive /createUploadSession C2 from non-Office process Bespoke c2 · hunting DSΣPDDCS [LLM] WormFrp / Webworm Amazon S3 staging bucket access (wamanharipethe / whpjewellers) Bespoke actions · alerting DSΣPDDCS [LLM] Mini Shai-Hulud dead-drop git commit authored as claude@users.noreply.github.com Bespoke actions · alerting DSΣPDDCS [LLM] BirdCall RokRAT cloud-storage C2 beacon (Dropbox/pCloud) from non-browser process Bespoke c2 · hunting DSPDDCS [LLM] Outbound upload to file.io from non-browser process (CompactGopher exfil) Bespoke actions · alerting DSΣPDDCS [LLM] TeamPCP Trivy/KICS C2 callback to scan.aquasecurtiy.org / 45.148.10.212 Bespoke c2 · hunting DSΣPDD [LLM] TeamPCP supply-chain C2 — outbound to checkmarx[.]zone / 83.142.209.11 Bespoke c2 · hunting DSΣPDD [LLM] TeamPCP exfiltration archive — tpcp.tar.gz file creation on host Bespoke actions · alerting DSΣPDD [LLM] Exfiltration to kubernetes-el attacker webhook.site UUIDs (Pwn Request payload) Bespoke c2 · alerting DSΣPDD [LLM] APT28 MacroMaze: Office or Edge HTTP traffic to webhook.site (INCLUDEPICTURE tracker + exfil) Bespoke c2 · hunting DSP [LLM] G_Wagon C2 beacon: node.exe or python.exe egress to Appwrite storage buckets Bespoke c2 · alerting DSΣPDDCS [LLM] Nx s1ngularity-repository creation via GitHub API from developer or CI endpoint Bespoke actions · alerting DSΣPDDCS [LLM] Moq SponsorLink email exfil egress to cdn.devlooped.com / SponsorLink blob Bespoke c2 · hunting DSΣPDDCS

Articles citing this technique (21)

crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17

high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25

med Over 73,000 French govt employees affected in Tchap messenger breach art-35

crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101

high What MDM can't protect on developer machines (and what to do about it) art-186

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193

high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215

crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough art-230

crit Webworm: New burrowing techniques art-240

crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

crit GopherWhisper: A burrow full of malware art-362

crit Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack art-400

high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags art-428

high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package art-475

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604

high 2025 in Review: The Evolution of Supply Chain Security & What's Next art-633

crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642

high .NET developers alert: Moq NuGET package exfiltrates user emails from git art-1399