CreepyDrive request URL sequence

Back


Id	eda260eb-f4a1-4379-ad98-452604da9b3e
Rulename	CreepyDrive request URL sequence
Description	CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.
Severity	High
Tactics	Exfiltration CommandAndControl
Techniques	T1567.002 T1102.002
Required data connectors	CheckPoint Fortinet PaloAltoNetworks Zscaler
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
Version	1.0.1
Arm template	eda260eb-f4a1-4379-ad98-452604da9b3e.json

KQL

let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold

YAML

severity: High
relevantTechniques:
- T1567.002
- T1102.002
queryFrequency: 1d
kind: Scheduled
version: 1.0.1
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Thomas McElroy
  source:
    kind: Community
name: CreepyDrive request URL sequence
triggerOperator: gt
description: |
  'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.
  This detecton will alert when over 20 sequences are observed in a single day.'  
queryPeriod: 1d
query: |
  let eventsThreshold = 20;
  CommonSecurityLog
  | where isnotempty(RequestURL)
  | project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
  | evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
  | summarize Events=count() by SourceIP, SourceHostName
  | where Events >= eventsThreshold  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
id: eda260eb-f4a1-4379-ad98-452604da9b3e
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - CommonSecurityLog
  connectorId: Fortinet
- dataTypes:
  - CommonSecurityLog
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
      "properties": {
        "alertRuleTemplateName": "eda260eb-f4a1-4379-ad98-452604da9b3e",
        "customDetails": null,
        "description": "'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\nThis detecton will alert when over 20 sequences are observed in a single day.'\n",
        "displayName": "CreepyDrive request URL sequence",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml",
        "query": "let eventsThreshold = 20;\nCommonSecurityLog\n| where isnotempty(RequestURL)\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \"login.microsoftonline.com/consumers/oauth2/v2.0/token\"), graph=(RequestURL has \"graph.microsoft.com/v1.0/me/drive/\"), SourceIP, SourceHostName)\n| summarize Events=count() by SourceIP, SourceHostName\n| where Events >= eventsThreshold\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1102",
          "T1567"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}