Adversaries using CreepyDrive leverage predictable OneDrive URLs for C2 communication, often in sequences that indicate coordinated command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and disrupt ongoing malicious activity leveraging cloud storage for command and control.
KQL Query
let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold
id: eda260eb-f4a1-4379-ad98-452604da9b3e
name: CreepyDrive request URL sequence
description: |
'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.
This detecton will alert when over 20 sequences are observed in a single day.'
severity: High
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1567.002
- T1102.002
tags:
- POLONIUM
query: |
let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Thomas McElroy
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
Scenario: Regular OneDrive Sync Job Execution
Description: A legitimate scheduled job (e.g., Microsoft OneDrive Sync) is running daily, generating predictable request sequences to OneDrive endpoints.
Filter/Exclusion: process.name: "OneDrive.exe" OR file.name: "onedrive.exe"
Scenario: Admin Task - OneDrive Backup via PowerShell
Description: An administrator is using PowerShell to perform a OneDrive backup task, which results in multiple sequential requests to predictable OneDrive paths.
Filter/Exclusion: process.name: "powershell.exe" AND (process.args: "backup" OR process.args: "sync")
Scenario: User-Initiated File Sync via OneDrive
Description: A user is manually syncing files between their local machine and OneDrive, leading to a sequence of predictable API calls.
Filter/Exclusion: user.name: "user123" AND (file.name: "*.docx" OR file.name: "*.xlsx")
Scenario: Integration with Microsoft 365 Services
Description: A legitimate integration (e.g., Microsoft Power Automate or Microsoft Teams) is making repeated requests to OneDrive endpoints as part of workflow automation.
Filter/Exclusion: process.name: "PowerShell.exe" OR process.name: "Teams.exe" OR process.name: "PowerAutomate.exe"
Scenario: Development Environment Testing
Description: A developer is testing an application that interacts with OneDrive APIs, resulting in a sequence of predictable requests during testing.
Filter/Exclusion: user.name: "dev_user" OR (process.name: "VisualStudio.exe" OR process.name: "Postman.exe")