Techniques
Sample rules
M365 SharePoint/OneDrive File Access via PowerShell
- source: elastic
- technicques:
- T1213
- T1530
Description
Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious.
Detection logic
event.dataset: "o365.audit" and
event.provider: ("SharePoint" or "OneDrive") and
event.action: ("FileDownloaded" or "FileAccessed") and
event.outcome: "success" and
user_agent.original: (*PowerShell* or *PnPPS* or *PnPCoreSDK* or *SharePointPnP*)