T1567.002: T1567.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1567.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Exfiltration to Cloud Storage

Platforms

windows macos linux ESXi

Description

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

mitre-attack (T1567.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Silent Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6692 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HEXANE uses LyceumSiamesekitten

The MITRE Corporation Confidence 100

[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Osiris uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Estries uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GopherWhisper uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1567 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TAOTH uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 59

ODAgent uses
COBEACON uses

Family
Atomic macOS Stealer uses

Family
StageComp uses

Family
XMRig uses

Family
SectopRAT uses

Family
Sliver uses

Family
SSLORDoor uses

Family
Crutch uses
MioLab uses

Family
Filemanager uses

Family
Phoenix uses

Family

← Previous

Page / 10

1–12 of 116

Customer CRM Data Accessed in Supply Chain Incident related

AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Threat Actors Weaponizing RAR Archives to Target Thailand's … related

AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
Operation Endgame vs. SocGholish Fake Updates related

AlienVault Confidence 100 18 MITREs 17 Malwares 12 IOCs 12 Observables 1 APT
Klue Integration Abused in Salesforce Data Theft | … related

AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
Akira, LimeWire, and the Sour Taste of Data … related

AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
Matryoshka #3/3: Gamaredon's Gammasteel Infostealer related

18 MITREs 5 Malwares 2 Observables 1 APT
Espionage Campaign Targeted Stock Exchange Executive for Five … related

20 MITREs 4 Malwares 20 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Mini Shai Hulud: Compromised @antv npm packages enable … related

AlienVault Confidence 100 20 MITREs 5 IOCs 5 Observables
macOS Stealer Spoofs Apple, Google, and Microsoft in … related

AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight … related

AlienVault Confidence 100 20 MITREs 5 Malwares 12 IOCs 12 Observables
Iran-Linked Hackers Breached Korean Electronics Maker in Global … related

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT

← Previous

Page / 5

1–12 of 49

Vulnerabilities (CVE) (27)

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2026-41940 KEV targets

9.3 Critical

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated …

Attack vector: NETWORK
Complexity: LOW
Published: 29/04/2026
Modified: 11/05/2026

CWE-306 Received

CVE-2025-30406 targets

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Published: 03/04/2025
Modified: 03/04/2025

Received

CVE-2023-6895 targets

6.3 Medium

A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of …

Attack vector: ADJACENT_NETWORK
Published: 17/12/2023
Modified: 06/03/2026

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

CVE-2025-31151 targets

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2023-22524 targets

← Previous

Page / 3

1–12 of 27

T1567 subtechnique-of

Exfiltration Over Web Service MITRE

Campaign (3)

C0015 uses
APT41 DUST uses
Operation Dream Job uses

Tool (2)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…

Contact About Legal notice Privacy policy Terms of use