Google Workspace administrator initiated a data transfer request

gsuite

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1537-transfer-data-to-cloud-account

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Google Workspace administrator initiates a data transfer request.

Strategy

Monitor Google Workspace logs to detect when a Google Workspace administrator initiates a request to transfer the ownership of a user’s data to a destination user within the same organization. This request is typically made when a user has left an organization and their data is transferred to another user. However, the service could be leveraged by an attacker to transfer data to an attacker-controlled account for exfiltration.

Triage and response

  1. Determine if there is a legitimate reason for the data transfer request.
  2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP address that initiated the request ({{@network.client.ip}}).