Suspicious File Downloaded from Google Drive

calendar Aug 9, 2024 · Domain: Endpoint OS: Linux OS: Windows OS: macOS Use Case: Threat Detection Tactic: Command and Control Data Source: System  ·
Share on: linkedin copy

Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/19"
 3integration = ["endpoint", "system"]
 4maturity = "production"
 5updated_date = "2024/08/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
11payloads via a trusted webservice.
12"""
13false_positives = [
14    "Approved third-party applications that use Google Drive download URLs.",
15    "Legitimate publicly shared files from Google Drive.",
16]
17from = "now-9m"
18index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*", "winlogbeat-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious File Downloaded from Google Drive"
22references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
23risk_score = 47
24rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "OS: Linux",
29    "OS: Windows",
30    "OS: macOS",
31    "Use Case: Threat Detection",
32    "Tactic: Command and Control",
33    "Data Source: System",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where
40
41    /* common browser processes  */
42    event.action in ("exec", "fork", "start") and 
43
44    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable", 
45                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe", 
46                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox", 
47                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and 
48
49    /* Look for Google Drive download URL with AV flag skipping */
50    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1105"
58name = "Ingress Tool Transfer"
59reference = "https://attack.mitre.org/techniques/T1105/"
60
61
62[rule.threat.tactic]
63id = "TA0011"
64name = "Command and Control"
65reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top