{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/onedrive/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OneDrive","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["data-exfiltration","onedrive","net.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may abuse the legitimate \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e utilities to mount OneDrive shares as network drives on compromised Windows systems. This technique allows them to leverage cloud-hosted WebDAV paths for staging, accessing, or exfiltrating sensitive data. By using OneDrive, attackers can potentially bypass traditional file share monitoring and data loss prevention (DLP) controls, blending malicious traffic with legitimate cloud service usage. This activity has been observed in environments where data exfiltration is a primary objective, as it provides a covert channel for moving data outside the organization. This is an anomaly that warrants investigation as legitimate users may also perform this task.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows endpoint via phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e with specific parameters to mount a OneDrive share as a network drive. The command includes the \u003ccode\u003euse\u003c/code\u003e parameter and a URL pointing to \u003ccode\u003ehttps://d.docs.live.net\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the OneDrive share, potentially using stolen credentials or tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker copies sensitive data to the mounted OneDrive share.\u003c/li\u003e\n\u003cli\u003eThe data is synchronized to the attacker\u0026rsquo;s OneDrive account, effectively exfiltrating it from the victim\u0026rsquo;s network.\u003c/li\u003e\n\u003cli\u003eThe attacker may remove the mounted drive using \u003ccode\u003enet use\u003c/code\u003e with the \u003ccode\u003e/delete\u003c/code\u003e option to remove traces of the activity.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting relevant event logs or modifying timestamps.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to exfiltrate sensitive data from the victim\u0026rsquo;s environment via a trusted cloud service, potentially leading to financial loss, reputational damage, and legal liabilities. The use of OneDrive can make detection more challenging, as the network traffic is often whitelisted and may not trigger traditional DLP alerts. The number of potential victims is broad, affecting any organization that uses OneDrive and has vulnerable or compromised Windows endpoints.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OneDrive Share Mounting via Net Utility\u003c/code\u003e to your SIEM to identify potential malicious use of \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e (log source: process_creation).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) with command line arguments to capture the full \u003ccode\u003enet.exe\u003c/code\u003e commands used for mounting shares.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security (Event ID 4688) for process creation events involving \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e with parameters indicative of mounting a OneDrive share.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual traffic patterns to \u003ccode\u003ehttps://d.docs.live.net\u003c/code\u003e that may indicate data exfiltration to OneDrive.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule, \u003ccode\u003eDetect OneDrive Share Mounting via Net Utility\u003c/code\u003e based on observed false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-onedrive-share-mount/","summary":"Adversaries may mount OneDrive shares as network drives using net.exe or net1.exe to stage, access, or exfiltrate data through cloud-hosted WebDAV paths, potentially bypassing traditional file share monitoring.","title":"OneDrive Share Mounted via Net Utility for Potential Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-03-onedrive-share-mount/"}],"language":"en","title":"CraftedSignal Threat Feed — Onedrive","version":"https://jsonfeed.org/version/1.1"}