Create upload-file-to-onedrive.yml

mandiant · Jul 18, 2024 · 43ca7fd · 43ca7fd
1 parent e63c454
commit 43ca7fd
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/nursery/upload-file-to-onedrive.yml b/nursery/upload-file-to-onedrive.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: upload file to OneDrive
+    namespace: communication/c2/file-transfer
+    authors:
+      - jaredswilson@google.com
+      - ervinocampo@google.com
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Exfiltration::Exfiltration Over Web Service::Exfiltration to Cloud Storage [T1567.002]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
+      - https://learn.microsoft.com/en-us/onedrive/developer/rest-api/concepts/upload?view=odsp-graph-online
+    examples:
+      - c40db0438a906eb0bec55093f1a0f2cc4cdc38104af0b4b4b3f18200a635c443
+  features:
+    - and:
+      - substring: "graph.microsoft.com"
+      - or:
+        - substring: "/createUploadSession"
+        - substring: "/content"
+        - or:
+          - substring: "/:children"
+          - substring: "/children"
+      - or:
+        - substring: "/drive/items/"
+        - substring: "/drive/root"