CreepyDrive URLs | SOC Hunt Feed

Hunt Hypothesis

Adversaries using CreepyDrive leverage OneDrive URLs for command and control, indicating potential C2 infrastructure. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate advanced persistent threats leveraging cloud storage for C2.

KQL Query

let oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);
let oneDriveCallsRegex = dynamic([@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Uploaded\/.*\:\/content',@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Downloaded\/.*\:\/content']);
CommonSecurityLog
| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication

Analytic Rule Definition

id: b6d03b88-4d27-49a2-9c1c-29f1ad2842dc
name: CreepyDrive URLs
description: |
  'CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.'
severity: High
requiredDataConnectors:
  - connectorId: Zscaler
    dataTypes:
      - CommonSecurityLog
  - connectorId: Fortinet
    dataTypes:
      - CommonSecurityLog
  - connectorId: CheckPoint
    dataTypes:
      - CommonSecurityLog
  - connectorId: PaloAltoNetworks
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - CommandAndControl
relevantTechniques:
  - T1567.002
  - T1102.002
tags:
  - POLONIUM
query: |
  let oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);
  let oneDriveCallsRegex = dynamic([@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Uploaded\/.*\:\/content',@'graph\.microsoft\.com\/v1\.0\/me\/drive\/root\:\/Downloaded\/.*\:\/content']);
  CommonSecurityLog
  | where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SourceIP
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SourceHostName
version: 1.0.1
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Thomas McElroy
    support:
        tier: Community
    categories:
        domains: [ "Security - Others" ]

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Exfiltration
Tactic: CommandAndControl
Technique: T1567.002 — T1567.002
Technique: T1102.002 — T1102.002

References

Source Query

False Positive Guidance

Scenario: Legitimate OneDrive File Sync via Admin Task
Description: An administrator is using OneDrive to sync files across the organization as part of a standard file-sharing policy.
Filter/Exclusion: Exclude URLs containing /personal/ or /shared/ in the path, or filter by user accounts with admin privileges.
Scenario: Scheduled Job Using OneDrive for Backup
Description: A scheduled backup job is configured to use OneDrive to store backups of critical systems.
Filter/Exclusion: Exclude URLs that include /backup/ or /restore/ in the path, or filter by jobs with known backup-related names.
Scenario: User Accessing OneDrive for Personal File Storage
Description: A user is accessing OneDrive to store personal documents or files, which is allowed under company policy.
Filter/Exclusion: Exclude URLs that include /personal/ or user-specific identifiers like [email protected].
Scenario: Integration with Microsoft Teams Using OneDrive
Description: A Teams integration is configured to store meeting recordings or shared files in OneDrive.
Filter/Exclusion: Exclude URLs that include /teams/ or /meetings/ in the path, or filter by known Teams integration services.
Scenario: OneDrive Used for Internal Knowledge Base
Description: A company uses OneDrive to host an internal knowledge base or shared documentation accessible to all employees.
Filter/Exclusion: Exclude URLs that include /sites/ or /documents/ in the path, or filter by known internal knowledge base directories.