Fake Google Workspace Shared Drive with “Confidential” Documents

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Fake Google Workspace Shared Drive with “Confidential” Documents

Description of Element:

Create a decoy Google Workspace Shared Drive containing fabricated documents with names suggesting sensitive information (e.g., “Financial Projections,” “Customer Database”). Monitor access and download activity to identify attackers attempting to exfiltrate data.

Technical Context:

Placement: Within the organization’s Google Workspace, alongside legitimate shared drives.

Requires familiarity with Google Workspace Shared Drives and access control settings.

Create a Shared Drive using the Google Drive API or the web interface. Populate the drive with decoy documents containing fabricated data. Configure sharing settings to make the drive discoverable or share it with specific target groups. Utilize Drive audit logs to monitor file access, download, and sharing activities.

Other:

Att&ck/Engage Mapping: T1083 File and Directory Discovery, E1504 Decoy Content

Fake Google Workspace Shared Drive with “Confidential” Documents

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense