Google Workspace Object Copied from External Drive and Access Granted to Custom Application

Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/03/07"
  3integration = ["google_workspace"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has
 11been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An
 12adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus
 13copying the object to the victim's drive. If a container-bound script exists within the object, execution will require
 14permission access via OAuth in which the user has to accept.
 15"""
 16false_positives = [
 17    """
 18    Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate
 19    when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually
 20    copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful
 21    spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to
 22    execute a container-bound script either unless the user was intentionally aware, suggesting the object uses
 23    container-bound scripts to accomplish a legitimate task.
 24    """,
 25]
 26from = "now-130m"
 27index = ["filebeat-*", "logs-google_workspace*"]
 28interval = "10m"
 29language = "eql"
 30license = "Elastic License v2"
 31name = "Google Workspace Object Copied from External Drive and Access Granted to Custom Application"
 32note = """## Triage and analysis
 33
 34### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application
 35
 36Google Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.
 37
 38This rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.
 39
 40#### Possible investigation steps
 41- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.
 42- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.
 43- Identify the file type by reviewing `google_workspace.drive.file.type`.
 44- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.
 45- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.
 46    - Review the application ID as well from `google_workspace.token.client.id`.
 47    - This metadata can be used to report the malicious application to Google for permanent blacklisting.
 48- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.
 49    - This information will help pivot and triage into what services may have been affected.
 50- If a container-bound script was attached to the copied object, it will also exist in the user's drive.
 51    - This object should be removed from all users affected and investigated for a better understanding of the malicious code.
 52
 53### False positive analysis
 54- Communicate with the affected user to identify if these actions were intentional
 55- If a container-bound script exists, review code to identify if it is benign or malicious
 56
 57### Response and remediation
 58- Initiate the incident response process based on the outcome of the triage.
 59- Disable or limit the account during the investigation and response.
 60- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 61    - Identify the account role in the cloud environment.
 62    - Assess the criticality of affected services and servers.
 63    - Work with your IT team to identify and minimize the impact on users.
 64    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
 65    - Identify any regulatory or legal ramifications related to this activity.
 66- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
 67    - Resetting passwords will revoke OAuth tokens which could have been stolen.
 68- Reactivate multi-factor authentication for the user.
 69- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
 70- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).
 71- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 72- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 73
 74## Setup
 75The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 76### Important Information Regarding Google Workspace Event Lag Times
 77- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 78- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 79- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
 80- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 81- See the following references for further information:
 82  - https://support.google.com/a/answer/7061566
 83  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 84references = [
 85    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
 86    "https://developers.google.com/apps-script/guides/bound",
 87    "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links",
 88]
 89risk_score = 47
 90rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc"
 91severity = "medium"
 92tags = [
 93    "Domain: Cloud",
 94    "Data Source: Google Workspace",
 95    "Tactic: Initial Access",
 96    "Resources: Investigation Guide",
 97]
 98type = "eql"
 99
100query = '''
101sequence by source.user.email with maxspan=3m
102[file where event.dataset == "google_workspace.drive" and event.action == "copy" and
103
104    /* Should only match if the object lives in a Drive that is external to the user's GWS organization */
105    google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" and
106
107    /* Google Script, Forms, Sheets and Document can have container-bound scripts */
108    google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")]
109
110[any where event.dataset == "google_workspace.token" and event.action == "authorize" and
111
112    /* Ensures application ID references custom app in Google Workspace and not GCP */
113    google_workspace.token.client.id : "*apps.googleusercontent.com"]
114'''
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1566"
121name = "Phishing"
122reference = "https://attack.mitre.org/techniques/T1566/"
123[[rule.threat.technique.subtechnique]]
124id = "T1566.002"
125name = "Spearphishing Link"
126reference = "https://attack.mitre.org/techniques/T1566/002/"
127
128
129
130[rule.threat.tactic]
131id = "TA0001"
132name = "Initial Access"
133reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application

Google Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like view or edit to indicate the recipient's permissions. The copy parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.

This rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.

Possible investigation steps

  • Identify user account(s) associated by reviewing user.name or source.user.email in the alert.
  • Identify the name of the file copied by reviewing file.name as well as the file.id for triaging.
  • Identify the file type by reviewing google_workspace.drive.file.type.
  • With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.
  • Within the OAuth token event, identify the application name by reviewing google_workspace.token.app_name.
    • Review the application ID as well from google_workspace.token.client.id.
    • This metadata can be used to report the malicious application to Google for permanent blacklisting.
  • Identify the permissions granted to the application by the user by reviewing google_workspace.token.scope.data.scope_name.
    • This information will help pivot and triage into what services may have been affected.
  • If a container-bound script was attached to the copied object, it will also exist in the user's drive.
    • This object should be removed from all users affected and investigated for a better understanding of the malicious code.

False positive analysis

  • Communicate with the affected user to identify if these actions were intentional
  • If a container-bound script exists, review code to identify if it is benign or malicious

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Disable or limit the account during the investigation and response.
  • Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
    • Identify the account role in the cloud environment.
    • Assess the criticality of affected services and servers.
    • Work with your IT team to identify and minimize the impact on users.
    • Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
    • Identify any regulatory or legal ramifications related to this activity.
  • Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
    • Resetting passwords will revoke OAuth tokens which could have been stolen.
  • Reactivate multi-factor authentication for the user.
  • Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
  • Implement security defaults provided by Google.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

Setup

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Important Information Regarding Google Workspace Event Lag Times

  • As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
  • This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
  • To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
  • By default, var.interval is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
  • See the following references for further information:

References

Related rules

to-top