Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Tuning] Suspicious File Downloaded from Google Drive #3411

Merged
merged 3 commits into from
Jan 31, 2024
Merged

[Tuning] Suspicious File Downloaded from Google Drive #3411

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
08de1c6
Update command_and_control_google_drive_malicious_file_download.toml
Samirbous Jan 30, 2024
46aea21
Update command_and_control_google_drive_malicious_file_download.toml
Samirbous Jan 30, 2024
1bd177e
Update command_and_control_google_drive_malicious_file_download.toml
Samirbous Jan 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 18 additions & 57 deletions rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,86 +1,47 @@
[metadata]
creation_date = "2023/06/19"
integration = ["endpoint"]
integration = ["endpoint", "system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/16"
updated_date = "2024/01/30"

[rule]
author = ["Elastic"]
description = """
Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from
Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt
to run malicious scripts, executables or payloads.
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt
to deliver phishing payloads via a trusted webservice.
"""
false_positives = [
"Approved third-party applications that use Google Drive download URLs.",
"Legitimate publicly shared files from Google Drive.",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint*"]
index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Malicious File Downloaded from Google Drive"
name = "Suspicious File Downloaded from Google Drive"
references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
risk_score = 73
risk_score = 47
rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
severity = "high"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence by host.id, process.entity_id with maxspan=30s
[any where
process where

/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or
/* common browser processes */
event.action in ("exec", "fork", "start") and

/* Look for Google Drive download URL with AV flag skipping */
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")

/* ignore trusted processes */
and not (
process.code_signature.trusted == true and
process.code_signature.subject_name:
("Mozilla Corporation",
"Google LLC",
"Google Inc",
"Bitdefender SRL",
"Microsoft Corporation",
"Netskope, Inc.",
"Avast Software s.r.o.",
"Microsoft Windows",
"AVG Technologies USA, LLC",
"Symantec Corporation",
"Trend Micro, Inc.",
"Palo Alto Networks (Netherlands) B.V.",
"Docker Inc"))

/* ignore common benign processes */
and not process.executable:
("/bin/terraform",
"*/bin/dockerd",
"/usr/local/bin/docker-init",
"*/bin/go",
"?:\\Program Files*\\Mozilla Firefox\firefox.exe",
"?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe")

/* ignore shellscripts + go install from legitimate repository*/
and not (process.executable == "/bin/sh" and process.args : "go install google.golang.org*")]
process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
"google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
"whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
"powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and

[network where
/* Look for DNS requests for Google Drive */
(dns.question.name : "drive.google.com" and dns.question.type : "A") or

/* Look for connection attempts to address that resolves to Google */
(destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")]

/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */
[file where event.action == "creation" and
file.extension :
("exe", "dll", "scr", "jar", "pif", "app", "dmg",
"pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk")]
/* Look for Google Drive download URL with AV flag skipping */
(process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
'''


Expand Down
Loading