Home/ATT&CK Technique/Data from Cloud Storage
ATT&CK Technique

Data from Cloud Storage

T1530 · collection

Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.

In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories). Adversaries may collect sensitive data from these cloud storage solutions.

Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem. There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

IaaSOffice SuiteSaaS

Actors Using This

14
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
russia_speaking_cybercrimeBlack Basta
israel_private_sector_mobile_forensics_cyber_mercenaryCellebrite
north_koreaCitrine Sleet
russia_speaking_cybercrimeCl0p
russia_speaking_cybercrimeCuba
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
russia_speaking_cybercrimeHive
russia_aligned_cybercrimeIndrik Spider
predominantly_english_speaking_youth_organized_crimeLAPSUS$
russia_speaking_cybercrimeLockBit Operators
russia_speaking_cybercrimeMaze
russia_speaking_cybercrimeMedusa

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access earlier
T1566.004 · Spearphishing Voice ×5.88
execution earlier
T1059.008 · Network Device CLI ×6.61
persistence earlier
T1556.006 · Multi-Factor Authentication ×6.61T1078.001 · Default Accounts ×6.52
credential-access earlier
T1003.006 · DCSync ×7.05T1552.005 · Cloud Instance Metadata API ×7.05T1621 · Multi-Factor Authentication Request Generation ×6.61T1606 · Forge Web Credentials ×5.51T1606.002 · SAML Tokens ×5.29T1552.004 · Private Keys ×4.53
discovery earlier
T1526 · Cloud Service Discovery ×8.81T1087.004 · Cloud Account ×7.05
lateral-movement earlier
T1550.001 · Application Access Token ×4.41
collection same
T1074.002 · Remote Data Staging ×5.51
other same
T1562.009 · Safe Mode Boot ×6.93

Atomic Tests

2
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shiaas:awsAWS - Scan for Anonymous Access to S3
Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder. 
aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name}
powershelliaas:azureAzure - Dump Azure Storage Account Objects via Azure CLI
This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName". Requirements: - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required. - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
$storage_account_objects = Import-Csv -Path "#{storage_account_objects_csv_file_path}"

# Login to Azure
az login

if (-not (Test-Path -Path "#{output_folder}")) {
    New-Item -ItemType Directory -Path "#{output_folder}"
}

foreach ($row in $storage_account_objects) {
    
    if ($row.FileShareName -ne ""){
        $allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess"

        if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
            Write-Output "Shared key access is disabled for this storage account."
        } else {
            Write-Output "Fetching content from file share: $($row.FileShareName) in storage account $($row.StorageAccountName) ..."
            $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv
            
            # Create folder for storage account objects
            $storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)"
            if (-not (Test-Path -Path $storageAccountOutputPath)) {
                New-Item -ItemType Directory -Path $storageAccountOutputPath
            }

            # create folder for file share content
            $fileSharePath = Join-Path -Path $storageAccountOutputPath $row.FileShareName
            if (-not (Test-Path -Path $fileSharePath)) {
                New-Item -ItemType Directory -Path $fileSharePath
            }
            az storage file download-batch --connection-string $connectionString --source $row.FileShareName --destination $fileSharePath
        }
    } elseif ($row.ContainerName -ne "" -and $row.BlobName -eq "") {
        $allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess"

        if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
            Write-Output "Shared key access is disabled for this storage account."
        } else {
            Write-Output "Fetching all blobs from container $($row.ContainerName) in storage account $($row.StorageAccountName) ..."
            $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv
            
            # Create folder for storage account objects
            $storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)"
            if (-not (Test-Path -Path $storageAccountOutputPath)) {
                New-Item -ItemType Directory -Path $storageAccountOutputPath
            }

            # create folder for blob content
            $containerFolderPath = Join-Path $storageAccountOutputPath $row.ContainerName
            if (-not (Test-Path -Path $containerFolderPath)) {
                New-Item -ItemType Directory -Path $containerFolderPath
            }
            az storage blob download-batch --destination $containerFolderPath --source $row.ContainerName --connection-string $connectionString
        }
    }
}

Mitigations

6
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1018User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies.

Enforcing the Principle of Least Privilege
  • Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.
  • Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. Implementing Strong Password Policies.
  • Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.
  • Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks. Managing Dormant and Orphaned Accounts.
  • Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.
  • Use Case: Eliminates dormant accounts that could be exploited by attackers. Account Lockout Policies.
  • Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.
  • Use Case: Mitigates automated attack techniques that rely on repeated login attempts. Multi-Factor Authentication (MFA) for High-Risk Accounts.
  • Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.
  • Use Case: Prevents unauthorized access, even if credentials are stolen. Restricting Interactive Logins.
  • Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.
  • Use Case: Protects sensitive accounts from misuse or exploitation.
Tools for Implementation Built-in Tools
  • Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.
  • Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.
Identity and Access Management (IAM) Tools
  • Okta: Centralized user provisioning, MFA, and SSO integration.
  • Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.
Privileged Account Management (PAM)
  • CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.
M1022Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions
  • Remove unnecessary write permissions on sensitive files and directories.
  • Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder.
  • Properties.
  • Security tab.
  • Adjust permissions for NTFS ACLs.
Harden File Shares
  • Disable anonymous access to shared folders.
  • Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access. On Linux, apply: chmod 750 /etc/sensitive.conf `chown root:admin /etc/sensitive.
conf` File Integrity Monitoring (FIM)
  • Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.
Audit File System Access
  • Enable auditing to track permission changes or unauthorized access attempts.
  • Use auditd (Linux) or Event Viewer (Windows) to log activities.
Restrict Startup Directories
  • Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu. Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
  • On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F.
  • On Linux, monitor permissions using tools like lsattr or auditd.
M1032Multi-factor Authentication

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include: - Something you know: Passwords, PINs. - Something you have: Physical tokens, smartphone authenticator apps. - Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans. Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access.

Identity and Access Management (IAM)
  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.
Authentication Tools and Methods
  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.
Secure Legacy Systems
  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.
Monitoring and Alerting
  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.
Training and Policy Enforcement
  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
M1037Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration.

Ingress Traffic Filtering
  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.
Egress Traffic Filtering
  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.
Protocol-Based Filtering
  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.
Network Segmentation
  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.
Application Layer Filtering
  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.
M1041Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

Encrypt Data at Rest
  • Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
  • Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit
  • Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
  • Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups
  • Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
  • Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets
  • Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
  • Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption
  • Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
  • Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.
M1047Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

System Audit
  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits
  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits
  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits
  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits
  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-02, AC-03, AC-04, AC-05, AC-06, AC-07, AC-16, AC-17, AC-18, AC-19, AC-20, CA-07, CM-02, CM-05, CM-06, CM-07, CM-08, IA-02, IA-03, IA-04, IA-05, IA-06, IA-08, RA-05, SC-04, SC-07, SC-28, SI-04, SI-07, SI-10, SI-12, SI-15
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin