This note documents detection patterns related to Cloud Sync Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects sync client execution and abuse tooling. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for sync abuse chains. |
| Sysmon | 11 | File create | Critical | Sensitive files copied into sync folders. |
| Sysmon | 3 | Network connection | Critical | Sync client outbound transfer. |
| Sysmon | 22 | DNS query | High | Cloud provider resolution. |
| Security | 4663 | File access | High | Sensitive file read before sync. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Sensitive files copied into OneDrive/Dropbox | Credential stores / archives | Critical | Core exfil clue. |
| Sync client launched by shell/script | Non-user pattern | Critical | Strong anomaly. |
| Burst file creation in sync path | Mass staging | Critical | Exfil pattern. |
| Sync immediately after archive creation | Archive → cloud chain | Critical | High-confidence exfil sequence. |
| Unusual provider on enterprise host | Rare sync software | High | Valuable anomaly. |
| DNS + outbound spike | Cloud transfer timing | High | Confirms movement. |
Common Tools
| Tool | Usage |
|---|---|
| OneDrive | Native cloud sync |
| Dropbox | External sync |
| Google Drive | File exfil |
| rclone | Scripted cloud exfil |
Relevant Artifacts
- Security Event IDs 4688, 4663
- Sysmon Event IDs 1, 11, 3, 22
- Sync folders:
- OneDrive
- Dropbox
- Google Drive
- Archive files
- DNS logs
- Prefetch for sync client
MITRE ATT&CK References
- T1567 Exfiltration to Cloud Storage
Decision Tree
-
Which sync platform?
- OneDrive
- Dropbox
- Drive
- rclone
-
Which files staged?
- Documents
- Archives
- Credentials
-
User-driven or scripted?
- explorer
- cmd
- powershell
-
Outbound transfer observed?
- DNS
- Network burst
-
Expand:
- Archive source
- Credential theft
- User scope
-
Scope:
- Single file
- Bulk exfil
- Campaign pattern
Example Detection Templates
KQL
Sysmon
| where EventID == 11
| where TargetFilename has_any ("OneDrive","Dropbox","Google Drive")
| project TimeGenerated, Computer, TargetFilename
Sysmon
| where EventID == 3
| where Image has_any ("OneDrive.exe","Dropbox.exe","rclone.exe")
| project TimeGenerated, Computer, Image, DestinationIp
EQL
file where file.path like "*OneDrive*" or file.path like "*Dropbox*"
sequence by host.name with maxspan=10m
[ file where file.path like "*OneDrive*" ]
[ network where process.name in ("OneDrive.exe","Dropbox.exe","rclone.exe") ]
Sigma
title: Cloud Sync Abuse Detection
id: 9a4c2f11-cloud-sync-abuse
status: experimental
description: Detects suspicious file staging into cloud sync folders
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
keywords:
TargetFilename|contains:
- 'OneDrive'
- 'Dropbox'
- 'Google Drive'
condition: selection and keywords
fields:
- TargetFilename
falsepositives:
- Legitimate sync activity
level: high
tags:
- attack.exfiltration
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Watch sync folders | Detect sensitive staging | Critical | Strong signal |
| Correlate archive + sync | High-confidence exfil | Critical | Powerful triage |
| Monitor sync clients | Rare scripted launches | High | Valuable anomaly |
| DNS visibility | Cloud provider timing | High | Strong enrichment |
| Restrict unsanctioned sync tools | Reduce abuse | High | Prevent exfil |