Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0484: Multi-Platform Cloud Storage Exfiltration Behavior Chain

DET0484 is a MITRE detection strategy for behavior associated with access to data in cloud storage, mapped to ATT&CK T1530. Its business significance is th...

EnterpriseDET0484Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0484 is a MITRE detection strategy for behavior associated with access to data in cloud storage, mapped to ATT&CK T1530. Its business significance is that important corporate data often lives outside traditional endpoints and file servers, in IaaS object storage and SaaS document repositories. Leaders should treat this as a coverage question: can the organization prove who accessed cloud-stored data, from where, at what volume, and through which service?

Executive priority

Prioritize this where cloud storage holds regulated, customer, financial, operational, or intellectual property data. The decision value is less about a single alert and more about readiness: identity controls, cloud/SaaS logging, SOC visibility, incident response evidence, and auditability must align across IaaS, Office Suite, and SaaS environments related to T1530. Executives should ask whether cloud storage access can be investigated quickly enough to support containment, disclosure analysis, and business continuity decisions.

Technical view

Because the official ATT&CK object provides no detection text and no direct platforms or tactics, teams should anchor validation on the related technique T1530, Data from Cloud Storage, whose context includes collection from IaaS object storage and SaaS/Office Suite storage. SOC and IR teams should verify that logs can reconstruct cloud storage access patterns across user identity, service account/API activity, file or object access, downloads, sharing, and administrative changes. Detection engineering should focus on behavior chains rather than isolated events, such as unusual authentication followed by broad enumeration, access to sensitive repositories, high-volume download activity, or access across multiple cloud storage platforms, while tuning for legitimate backup, migration, eDiscovery, and administrative workflows.

Likely telemetry

  • Cloud provider object storage access logs for read, list, download, and object retrieval activity
  • SaaS and Office Suite audit logs for file access, download, sharing, sync, and repository activity
  • Identity and access management logs covering user, service account, API token, and application access
  • Authentication context such as source IP, device, session, geolocation, and conditional access outcomes where available
  • Cloud control-plane logs for permission changes, bucket/container policy changes, app consent, or storage configuration changes

Detection direction

  • Validate that coverage exists for the related T1530 environments in use: IaaS object storage, Office Suite storage, and SaaS storage platforms.
  • Correlate identity events with storage access events; cloud storage activity without reliable identity context is a major investigative blind spot.
  • Tune detections around behavior sequences and deviations from baseline rather than single downloads, since legitimate collaboration and administrative activity can create false positives.
  • Include service accounts, API-based access, sync clients, and third-party applications in scope; focusing only on interactive user logins can miss material access paths.
  • Test whether SOC analysts can answer basic IR questions: what data was accessed, by whom, from where, over what time period, and whether the activity crossed platforms.

Mitigation priorities

  • Inventory cloud storage locations and identify which repositories contain sensitive or business-critical data.
  • Ensure audit logging is enabled, retained, and accessible for relevant IaaS, Office Suite, and SaaS storage services.
  • Harden identity and access paths with least privilege, strong authentication, reviewed service-account permissions, and controlled third-party application access.
  • Define investigation playbooks for suspected cloud storage data access, including evidence preservation, identity containment, access revocation, and data exposure assessment.
  • Use data governance controls such as classification, ownership, access reviews, and retention policies to reduce the amount of high-value data broadly accessible in cloud storage.
Analyst notes and limits

The supplied object is a detection strategy named Multi-Platform Cloud Storage Exfiltration Behavior Chain, but its official description and detection fields are not provided. The strongest ATT&CK-supported context is its relationship to T1530, Data from Cloud Storage, which is categorized under collection and lists IaaS, Office Suite, and SaaS as related platforms. This take therefore frames practical validation around cloud storage access visibility and response readiness rather than claiming a specific analytic implementation.

No official detection logic, platforms, tactics, data sources, severity, or procedure examples were supplied for DET0484. Recommendations are conservative and derived from the object name plus the stated relationship to T1530. Local architecture, logging configuration, data sensitivity, and normal business workflows are required to determine actual coverage, priority, and tuning.

Official MITRE ATT&CK definition

Multi-Platform Cloud Storage Exfiltration Behavior Chain

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1530 Data from Cloud Storage This object detects Data from Cloud Storage.
Relationship explorer

All related ATT&CK context

detects · Technique T1530: Data from Cloud Storage Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
85707e40885adfb1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 85707e40885a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0484
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use