M365 SharePoint/OneDrive File Access via PowerShell

  1[metadata]
  2creation_date = "2026/02/24"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/02/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use
 11native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after
 12compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct
 13PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect
 14adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access
 15SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious.
 16"""
 17false_positives = [
 18    "Legitimate automation scripts using PowerShell to interact with SharePoint or OneDrive for business purposes.",
 19    "IT administrators using PnP PowerShell for site management, migration, or backup operations.",
 20]
 21from = "now-9m"
 22index = ["filebeat-*", "logs-o365.audit-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "M365 SharePoint/OneDrive File Access via PowerShell"
 26note = """## Triage and Analysis
 27
 28### Investigating M365 SharePoint/OneDrive File Access via PowerShell
 29
 30This rule detects file downloads and access from OneDrive or SharePoint using PowerShell-based user agents. Threat actors commonly use device code phishing to obtain OAuth tokens, then use native PowerShell or PnP PowerShell modules to enumerate and exfiltrate files from SharePoint and OneDrive. FileAccessed events are included because adversaries may read file content via the Graph API `/content` endpoint and save locally, bypassing traditional download events.
 31
 32#### Possible Investigation Steps
 33
 34- Identify the user whose token was used and determine if they typically use PowerShell for file operations.
 35- Review the OAuth application/client ID used to authenticate. Look for public client IDs that may indicate device code phishing.
 36- Check the source IP address and compare with the user's typical access locations.
 37- Identify which SharePoint site or OneDrive was accessed.
 38- Correlate with Azure AD sign-in logs to determine if device code authentication was used.
 39- Look for rapid sequential file downloads from the same session, which may indicate bulk data exfiltration.
 40- Check for search activity from the same user/session that may indicate reconnaissance before download.
 41
 42### False Positive Analysis
 43
 44- IT administrators legitimately using PnP PowerShell for site management, migration, or backup operations.
 45- Automated scripts using PowerShell for legitimate data processing or synchronization tasks.
 46- Consider creating exceptions for known automation service accounts.
 47
 48### Response and Remediation
 49
 50- If unauthorized activity is confirmed, immediately revoke the OAuth token and terminate active sessions for the affected user.
 51- Reset the user's credentials and require reauthentication with MFA.
 52- Review all files accessed during the session to assess data exposure.
 53- Implement conditional access policies to restrict device code authentication flow.
 54- Consider blocking public client IDs that are not needed for business operations.
 55- Review and audit OAuth application permissions in your tenant.
 56"""
 57references = [
 58    "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",
 59    "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",
 60    "https://pnp.github.io/powershell/",
 61]
 62risk_score = 47
 63rule_id = "491651da-125b-11f1-af7d-f661ea17fbce"
 64severity = "medium"
 65tags = [
 66    "Domain: Cloud",
 67    "Domain: SaaS",
 68    "Data Source: Microsoft 365",
 69    "Data Source: Microsoft 365 Audit Logs",
 70    "Use Case: Threat Detection",
 71    "Tactic: Collection",
 72    "Tactic: Exfiltration",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "query"
 77
 78query = '''
 79event.dataset: "o365.audit" and
 80    event.provider: ("SharePoint" or "OneDrive") and
 81    event.action: ("FileDownloaded" or "FileAccessed") and
 82    event.outcome: "success" and
 83    user_agent.original: (*PowerShell* or *PnPPS* or *PnPCoreSDK* or *SharePointPnP*)
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1213"
 91name = "Data from Information Repositories"
 92reference = "https://attack.mitre.org/techniques/T1213/"
 93[[rule.threat.technique.subtechnique]]
 94id = "T1213.002"
 95name = "Sharepoint"
 96reference = "https://attack.mitre.org/techniques/T1213/002/"
 97
 98
 99[[rule.threat.technique]]
100id = "T1530"
101name = "Data from Cloud Storage"
102reference = "https://attack.mitre.org/techniques/T1530/"
103
104
105[rule.threat.tactic]
106id = "TA0009"
107name = "Collection"
108reference = "https://attack.mitre.org/tactics/TA0009/"
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111
112[rule.threat.tactic]
113id = "TA0010"
114name = "Exfiltration"
115reference = "https://attack.mitre.org/tactics/TA0010/"