CreepyDrive request URL sequence
| Id | eda260eb-f4a1-4379-ad98-452604da9b3e |
| Rulename | CreepyDrive request URL sequence |
| Description | CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day. |
| Severity | High |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1567.002 T1102.002 |
| Required data connectors | CheckPoint Fortinet PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml |
| Version | 1.0.1 |
| Arm template | eda260eb-f4a1-4379-ad98-452604da9b3e.json |
let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold
queryPeriod: 1d
name: CreepyDrive request URL sequence
description: |
'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.
This detecton will alert when over 20 sequences are observed in a single day.'
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
- dataTypes:
- CommonSecurityLog
connectorId: Fortinet
- dataTypes:
- CommonSecurityLog
connectorId: CheckPoint
- dataTypes:
- CommonSecurityLog
connectorId: PaloAltoNetworks
kind: Scheduled
id: eda260eb-f4a1-4379-ad98-452604da9b3e
version: 1.0.1
triggerOperator: gt
triggerThreshold: 0
query: |
let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
entityType: Host
metadata:
author:
name: Thomas McElroy
support:
tier: Community
categories:
domains:
- Security - Others
source:
kind: Community
tactics:
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1567.002
- T1102.002
queryFrequency: 1d
severity: High
tags:
- POLONIUM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
"properties": {
"alertRuleTemplateName": "eda260eb-f4a1-4379-ad98-452604da9b3e",
"customDetails": null,
"description": "'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\nThis detecton will alert when over 20 sequences are observed in a single day.'\n",
"displayName": "CreepyDrive request URL sequence",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml",
"query": "let eventsThreshold = 20;\nCommonSecurityLog\n| where isnotempty(RequestURL)\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \"login.microsoftonline.com/consumers/oauth2/v2.0/token\"), graph=(RequestURL has \"graph.microsoft.com/v1.0/me/drive/\"), SourceIP, SourceHostName)\n| summarize Events=count() by SourceIP, SourceHostName\n| where Events >= eventsThreshold\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"subTechniques": [
"T1567.002",
"T1102.002"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Exfiltration"
],
"tags": [
"POLONIUM"
],
"techniques": [
"T1102",
"T1567"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}