Skip to content

S1023 CreepyDrive

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.1

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.1

Item Value
ID S1023
Associated Names
Version 1.0
Created 07 July 2022
Last Modified 10 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell CreepyDrive can use Powershell for execution, including the cmdlets Invoke-WebRequest and Invoke-Expression.1
enterprise T1005 Data from Local System CreepyDrive can upload files to C2 from victim machines.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage CreepyDrive can use cloud services including OneDrive for data exfiltration.1
enterprise T1083 File and Directory Discovery CreepyDrive can specify the local file path to upload files from.1
enterprise T1105 Ingress Tool Transfer CreepyDrive can download files to the compromised host.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.001 Application Access Token CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication CreepyDrive can use OneDrive for C2.1

Groups That Use This Software

ID Name References