CreepyDrive request URL sequence

Back


Id	eda260eb-f4a1-4379-ad98-452604da9b3e
Rulename	CreepyDrive request URL sequence
Description	CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.
Severity	High
Tactics	Exfiltration CommandAndControl
Techniques	T1567.002 T1102.002
Required data connectors	CheckPoint Fortinet PaloAltoNetworks Zscaler
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
Version	1.0.1
Arm template	eda260eb-f4a1-4379-ad98-452604da9b3e.json

KQL

let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold

YAML

description: |
  'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.
  This detecton will alert when over 20 sequences are observed in a single day.'  
queryPeriod: 1d
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
id: eda260eb-f4a1-4379-ad98-452604da9b3e
kind: Scheduled
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Thomas McElroy
tactics:
- Exfiltration
- CommandAndControl
severity: High
triggerOperator: gt
tags:
- POLONIUM
version: 1.0.1
query: |
  let eventsThreshold = 20;
  CommonSecurityLog
  | where isnotempty(RequestURL)
  | project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
  | evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
  | summarize Events=count() by SourceIP, SourceHostName
  | where Events >= eventsThreshold  
name: CreepyDrive request URL sequence
queryFrequency: 1d
relevantTechniques:
- T1567.002
- T1102.002
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  entityType: Host

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
      "properties": {
        "alertRuleTemplateName": "eda260eb-f4a1-4379-ad98-452604da9b3e",
        "customDetails": null,
        "description": "'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\nThis detecton will alert when over 20 sequences are observed in a single day.'\n",
        "displayName": "CreepyDrive request URL sequence",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml",
        "query": "let eventsThreshold = 20;\nCommonSecurityLog\n| where isnotempty(RequestURL)\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \"login.microsoftonline.com/consumers/oauth2/v2.0/token\"), graph=(RequestURL has \"graph.microsoft.com/v1.0/me/drive/\"), SourceIP, SourceHostName)\n| summarize Events=count() by SourceIP, SourceHostName\n| where Events >= eventsThreshold\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1567.002",
          "T1102.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1102",
          "T1567"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}