305. BRONZE BUTLER Abuses Cloud Storage Services for Exfiltration
Hello everyone! Today we'll look at another example of Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) . According to the report , BRONZE BUTLER accessed multiple cloud storage services via the web browser during remote desktop sessions in order to exfiltrate collected information. If such services are not commonly used in your environment, it's a good target for hunting: event_type: "dnsreqwin" AND dns_rname: ("file.io" OR "ppng.io" OR "limewire.com") See you tomorrow!