CreepyDrive URLs
| Id | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc |
| Rulename | CreepyDrive URLs |
| Description | CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive. |
| Severity | High |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1567.002 T1102.002 |
| Required data connectors | CheckPoint Fortinet PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml |
| Version | 1.0.1 |
| Arm template | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc.json |
let oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);
let oneDriveCallsRegex = dynamic([@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Uploaded\/.*\:\/content',@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Downloaded\/.*\:\/content']);
CommonSecurityLog
| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
severity: High
triggerThreshold: 0
metadata:
source:
kind: Community
support:
tier: Community
categories:
domains:
- Security - Others
author:
name: Thomas McElroy
queryFrequency: 1d
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
id: b6d03b88-4d27-49a2-9c1c-29f1ad2842dc
version: 1.0.1
name: CreepyDrive URLs
kind: Scheduled
query: |
let oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);
let oneDriveCallsRegex = dynamic([@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Uploaded\/.*\:\/content',@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Downloaded\/.*\:\/content']);
CommonSecurityLog
| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml
queryPeriod: 1d
relevantTechniques:
- T1567.002
- T1102.002
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
description: |
'CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.'
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "CreepyDrive URLs",
"description": "'CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.'\n",
"severity": "High",
"enabled": true,
"query": "let oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);\nlet oneDriveCallsRegex = dynamic([@'graph\\.microsoft\\.com\\/v1\\.0\\/me\\/drive\\/root\\:\\/Uploaded\\/.*\\:\\/content',@'graph\\.microsoft\\.com\\/v1\\.0\\/me\\/drive\\/root\\:\\/Downloaded\\/.*\\:\\/content']);\nCommonSecurityLog\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration",
"CommandAndControl"
],
"techniques": [
"T1567.002",
"T1102.002"
],
"alertRuleTemplateName": "b6d03b88-4d27-49a2-9c1c-29f1ad2842dc",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
],
"entityType": "Host"
}
],
"tags": [
"POLONIUM"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml",
"templateVersion": "1.0.1"
}
}
]
}