T1537Techniqueexfiltrationagent-callable

T1537Transfer Data to Cloud Account

Platforms: IaaS

ATT&CK version: 14.1

What it is

Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces. Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

ATT&CK tactics· 1

Exfiltration

References

  1. https://attack.mitre.org/techniques/T1537
  2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  3. https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature
  4. https://docs.microsoft.com/en-us/azure/storage/blobs/snapshots-overview
  5. https://www.justice.gov/file/1080281/download
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1537: Transfer Data to Cloud Account | SQUR Knowledge Base