Closed
Description
Link to rule
Description
This rule has some performance and false-positive considerations that should be addressed. The maxspan is small, however the use of wildcards and OR
logic may be too broad and cause performance issues when the first sequence query is collecting events.
### Tasks
- [ ] https://github.com/elastic/detection-rules/pull/3411
- [ ] Create a new rule, primarily identifying HTTP requests (so we can have logic on the URI parameters) to that URL
- [ ] Start some digging into new terms for process executable and dns domain combinations to web services and chat platforms (telegram, discord, etc.)
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
terrancedejesus commentedon Jan 16, 2024
Related requests to tune this rule:
terrancedejesus commentedon Jan 23, 2024
Update 01-23-2024
After some initial triage, it appears that direct download links to Google Drive with parameter
confirm=no_antivirus
may no longer be viable. Although this is submitted, response code 303 is given and redirection to a manual download page is given. Before, it would download the malware directly without the redirection.While this is the case, the threat of leveraging Google Drive for malware distribution is still prevalent, however, further research and emulation will need to be conducted to properly tune this rule.
Regarding performance, the rule can also be adjusted - specifically with the initial sequence and wildcard usage. Since we have no visibility into the URL requested during the TLS connection, we are unable to write logic on URL parameters. As a result, we must rely on a collection of events with DNS traffic, process and file based events.
Go code to download directly from Google Drive and execute batch script- used for testing:
rheimsothdecoit commentedon Jan 25, 2024
Be aware that this OR after the first block makes nearly always the following parts useless, e.g. in our environment
event.action
is always "load".Please check if instead of the "or" "and" would be correct.
Also the benign process list does not contain firefox and chrome binaries on linux machines, only the windows parts.
terrancedejesus commentedon Feb 1, 2024
Update 02-01-2024
After some research and discussion, we have expanded the scope of this rule tuning issue. We will be decoupling some of the activity attempted to be identified with the original rule, as well as creating new rules to detect similar activity.
Details can be found in the tuning pull request: #3411 (comment)
A tasklist has been added at the top of this tuning to add additional scope.
[-][Rule Tuning] Malicious File Downloaded from Google Drive[/-][+][Rule Tuning] Google Drive Direct Download Detection[/+]botelastic commentedon Apr 1, 2024
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
3 remaining items