A malicious actor can obfuscate the origin of communication by creating a generic Gsuite account to send emails or share documents. This is why many times significant numbers of file shares, especially containing phishing related terms, may indicate malicious intent. This search investigates when someone shares a Google Drive, who shared it, and what was shared in the Google Drive within the company’s domain.
This type of attack vector requires a logging infrastructure in place configured to ingest Gsuite logs, specifically configured to look at different elements including visibility, owner, and target user parameters. You can view the range of parameters used in these searches here.
This search might have to be adjusted per specific environments and specific findings behind a detection, hunt policy which can be customized per timeframe, subdomains, or organizational units.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="gsuite:drive:json" "parameters.target_user"="[username]" name=change_user_access parameters.target_user | spath "parameters_owner" | search "parameters_owner"="*" | stats count dc(parameters.target_user) as distinct_target BY src_ip parameters.owner parameters.target_user parameters.doc_type parameters.doc_title | where distinct_target > 50
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|sourcetype="gsuite:drive:json" parameters.target_user=[username] name=change_user_access||Using the gsuite drive sourcetype, filter for the username you are investigating. Filter further for the events that have change_user_access set to the name field in the event.|
|| spath "parameters_owner"||Extract the parameters_owner filed from the JSON data.|
|| search "parameters_owner"="*"||Search for instances of parameters_owner that are set to anything.|
| stats count dc(parameters.target_user) as distinct_target BY src_ip parameters.owner parameters.target_user parameters.doc_type parameters.doc_title | where distinct_target > 50
Returns the count of events and distinct count of target users grouped by src_ip and the listed fields on the parameters multi value field, when the distinct targeted number of users is 50.
The behavior of malicious actors is to share files in significant numbers. The distinct number of targeted users, set here to 50, will need to be adjusted to adapt to what is anomalous for your organization, greater than what is normal for your legitimate users.
This search may help investigate compromise of accounts by looking at, for example, source ip addresses, document titles and abnormal number of shares and shared target users.
Explore your results by looking at parameters.target_user (users that were shared the document), the type of document (parameters.doc_type), or the title of the document (parameters.doc_title).
If your search returns potentially suspicious results, continue to troubleshoot other methods for detecting Gsuite phishing attacks.