T1567.002: T1567.002

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 09/03/2020 16:04 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1567.002
Confidence: 100/100
Revoked: No
Published: 09/03/2020 16:04
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Exfiltration to Cloud Storage

Platforms

windows macos linux ESXi

Description

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

mitre-attack (T1567.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (55)

Threat Group-3390 uses Earth SmilodonTG-3390

The MITRE Corporation Confidence 100

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera uses

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ransomhouse uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
WageMole uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2715 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Bakunawa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Confucius uses Confucius APT

The MITRE Corporation Confidence 100

[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0501 uses

The MITRE Corporation Confidence 100

[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NoisyBear uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 55

ODAgent uses

Family The MITRE Corporation Confidence 100

[ODAgent](https://attack.mitre.org/software/S1170) is a C#/.NET downloader that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against target organizations in Israel to download and execute payloads and to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
COBEACON uses

Family
Atomic macOS Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
StageComp uses

Family
XMRig uses

Family
SectopRAT uses

Family
Sliver uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SSLORDoor uses

Family
Crutch uses
MioLab uses

Family
Filemanager uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Phoenix uses

Family

← Previous

Page / 6

1–12 of 69

KimJongRAT Continues to Evolve by Leveraging LOTS related

AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
"Ghost" Code Phishing Analysis related

AlienVault Confidence 100 20 MITREs 1 Malware
Customer CRM Data Accessed in Supply Chain Incident related

AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Threat Actors Weaponizing RAR Archives to Target Thailand's … related

AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
Operation Endgame vs. SocGholish Fake Updates related

AlienVault Confidence 100 18 MITREs 17 Malwares 12 IOCs 12 Observables 1 APT
Klue Integration Abused in Salesforce Data Theft | … related

AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
Akira, LimeWire, and the Sour Taste of Data … related

AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
Matryoshka #3/3: Gamaredon's Gammasteel Infostealer related

18 MITREs 5 Malwares 2 Observables 1 APT
Espionage Campaign Targeted Stock Exchange Executive for Five … related

20 MITREs 4 Malwares 20 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Mini Shai Hulud: Compromised @antv npm packages enable … related

AlienVault Confidence 100 20 MITREs 5 IOCs 5 Observables
macOS Stealer Spoofs Apple, Google, and Microsoft in … related

AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (27)

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2017-7921 KEV targets

9.8 Critical

Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.9410 (P99.9%)
Published: 06/05/2017
Modified: 22/04/2026

CWE-287

CVE-2025-26399 KEV targets

9.8 Critical

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …

Attack vector: Network
Published: 23/09/2025
Modified: 12/03/2026

Awaiting Analysis

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2024-3577 targets

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-4966 KEV targets

9.4 Critical

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …

Attack vector: Network
Published: 18/10/2023
Modified: 21/12/2025

← Previous

Page / 3

13–24 of 27

T1567 subtechnique-of

Exfiltration Over Web Service MITRE

Campaign (2)

C0015 uses
APT41 DUST uses

Tool (1)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use