Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0570: Detection Strategy for Exfiltration to Cloud Storage

This detection strategy matters because exfiltration to cloud storage can blend into normal business traffic when organizations legitimately use services s...

EnterpriseDET0570Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because exfiltration to cloud storage can blend into normal business traffic when organizations legitimately use services such as Dropbox or Google Docs. For leaders, the practical question is whether the organization can distinguish approved cloud-storage use from unusual movement of sensitive data to external services, especially during an incident where rapid scoping is needed.

Executive priority

Prioritize this as a data-loss and business-continuity concern tied to the ATT&CK technique Exfiltration to Cloud Storage (T1567.002). Executives should ask whether cloud-storage usage is governed, logged, and reviewable across Windows, macOS, Linux, and ESXi environments where relevant. The decision value is not only prevention; it is whether SOC and incident response teams can produce credible evidence of what data may have left, through which service, from which host or account, and whether the activity was approved.

Technical view

The supplied detection-strategy object has no official detection text or platform list, but it detects T1567.002, which is an exfiltration technique involving data transfer to cloud storage services over the Internet. SOC and detection teams should validate visibility into outbound connections and data-transfer patterns to cloud-storage providers, especially where those services are already common in the environment. IR teams should be able to correlate endpoint, network, proxy, DNS, identity, and cloud/SaaS access evidence to determine whether observed uploads are expected business activity or potential exfiltration.

Likely telemetry

  • Network egress logs showing outbound connections to cloud-storage services
  • Proxy or secure web gateway logs with URLs, domains, users, hosts, and transferred byte counts
  • DNS queries for cloud-storage provider domains
  • Endpoint telemetry showing processes initiating uploads or large file transfers
  • Identity or access logs tying cloud-storage activity to specific users or service accounts

Detection direction

  • Validate that logging captures both destination context and transfer volume; domain-only visibility may miss whether meaningful data was uploaded.
  • Tune detections around deviations from normal user, host, and business-unit cloud-storage behavior rather than treating all access to common providers as suspicious.
  • Correlate cloud-storage activity with endpoint process context and identity context to reduce false positives from legitimate collaboration workflows.
  • Review blind spots where unmanaged devices, direct Internet egress, encrypted web traffic, or unsanctioned cloud services reduce visibility.
  • During investigations, prioritize evidence that can answer: what was transferred, by whom, from where, to which service, and whether the service was sanctioned.

Mitigation priorities

  • Define and maintain an approved cloud-storage service policy so detection teams know which destinations are expected versus unsanctioned.
  • Ensure egress, proxy, DNS, endpoint, identity, and SaaS audit logs are retained long enough to support incident response and compliance evidence needs.
  • Apply access governance and least-privilege controls around sanctioned cloud-storage platforms, including review of users and service accounts with upload or sharing capability.
  • Use network and web controls to manage or restrict access to unapproved cloud-storage services where business requirements allow.
  • Establish incident response procedures for suspected data exfiltration, including preservation of logs and coordination with data owners to assess sensitivity of affected files.
Analyst notes and limits

This take is based on the DET0570 detection-strategy object and its relationship to ATT&CK technique T1567.002, Exfiltration to Cloud Storage. The relationship provides the main operational context: adversaries may use cloud storage instead of a primary command-and-control channel, and normal business use of these services can provide cover.

The official detection-strategy object does not provide a description, detection logic, tactics, or platforms. Platform and tactic context comes only from the related T1567.002 technique. Local service allowlists, cloud-storage usage patterns, logging architecture, and data-classification practices are required to turn this into environment-specific detections or control decisions.

Official MITRE ATT&CK definition

Detection Strategy for Exfiltration to Cloud Storage

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique This object detects Exfiltration to Cloud Storage.
Relationship explorer

All related ATT&CK context

detects · Technique T1567.002: Exfiltration to Cloud Storage Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
748386ae9d78d2b8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 748386ae9d78…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0570
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use