Techniques
Sample rules
Google Workspace Object Copied from External Drive and Access Granted to Custom Application
- source: elastic
- technicques:
- T1566
Description
Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where “copy” is included in the URI, thus copying the object to the victim’s drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.
Detection logic
sequence by source.user.email with maxspan=3m
[file where event.dataset == "google_workspace.drive" and event.action == "copy" and
/* Should only match if the object lives in a Drive that is external to the user's GWS organization */
google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" and
/* Google Script, Forms, Sheets and Document can have container-bound scripts */
google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")]
[any where event.dataset == "google_workspace.token" and event.action == "authorize" and
/* Ensures application ID references custom app in Google Workspace and not GCP */
google_workspace.token.client.id : "*apps.googleusercontent.com"]