AN1571: Analytic 1571
Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.
Analyst context for executives and security teams
This analytic matters because it looks for a common business-risk pattern: an unusual Windows process reads large local files and then sends substantial HTTPS POST traffic to cloud storage domains such as Dropbox, Google Drive, or Box. For leaders, the value is not just “detecting uploads”; it is validating whether the organization can distinguish normal cloud-storage use from suspicious data movement involving sensitive local directories.
Executive priority
Prioritize this as a data-loss and incident-readiness control validation. Executives should ask whether endpoint and network teams can correlate file access in sensitive locations with outbound cloud-storage traffic, whether approved cloud services are known, and whether investigation teams can quickly determine if the activity is authorized business use, policy violation, or a security incident. This also supports compliance evidence where monitoring of sensitive data handling and egress is required.
Technical view
For Windows environments, validate whether telemetry can correlate process identity, file-read activity against large or sensitive local files, destination domain, HTTPS POST behavior, and outbound traffic volume. The analytic specifically highlights unusual processes such as powershell.exe or excel.exe accessing large local files before posting to cloud storage service domains. SOC teams should tune around known backup, sync, collaboration, and automation workflows while preserving visibility into unexpected process-to-cloud-storage combinations.
Likely telemetry
- Windows endpoint process execution telemetry
- File access or file-read telemetry for local and sensitive directories
- Network connection metadata from endpoints or network sensors
- HTTP/HTTPS metadata where available, including method such as POST
- Destination domain or SNI/DNS telemetry for cloud storage services
Detection direction
- Validate correlation across endpoint file access and outbound network activity; either signal alone may be too noisy.
- Baseline approved cloud-storage clients and business workflows to reduce false positives from legitimate sync, backup, or collaboration activity.
- Pay special attention to unusual parent/child process context and non-standard processes initiating high-volume HTTPS POST traffic to cloud storage domains.
- Confirm visibility is not lost when traffic is encrypted; domain, SNI, DNS, proxy, EDR, or firewall metadata may be needed.
- Define what counts as a large local file and which directories are sensitive based on the organization’s data-handling model.
Mitigation priorities
- Inventory and govern approved cloud storage services and expected client applications.
- Apply least-privilege access and data-handling controls for sensitive local directories.
- Use endpoint, proxy, firewall, or cloud access controls to restrict or monitor unsanctioned cloud-storage destinations where appropriate.
- Ensure incident response playbooks cover triage of suspicious file access followed by cloud upload behavior.
- Retain sufficient endpoint and network logs to support investigation of process, user, host, file path, destination, and volume.
Analyst notes and limits
ATT&CK provides this as a detection analytic, not as a technique with tactics or procedure examples. The most useful implementation will depend on local definitions of sensitive directories, approved cloud services, normal upload volumes, and available endpoint/network telemetry.
No official detection logic, tactics, relationships, adversary context, or implementation details were supplied. This take is therefore limited to the described Windows analytic pattern and should not be read as evidence of active exploitation, attribution, or guaranteed detection coverage.
Analytic 1571
Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 51b6cb433259… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1571Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.