Suspicious File Downloaded from Google Drive
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/19"
3integration = ["endpoint", "system"]
4maturity = "production"
5updated_date = "2024/08/09"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
11payloads via a trusted webservice.
12"""
13false_positives = [
14 "Approved third-party applications that use Google Drive download URLs.",
15 "Legitimate publicly shared files from Google Drive.",
16]
17from = "now-9m"
18index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*", "winlogbeat-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious File Downloaded from Google Drive"
22references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
23risk_score = 47
24rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Linux",
29 "OS: Windows",
30 "OS: macOS",
31 "Use Case: Threat Detection",
32 "Tactic: Command and Control",
33 "Data Source: System",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where
40
41 /* common browser processes */
42 event.action in ("exec", "fork", "start") and
43
44 process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
45 "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
46 "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
47 "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and
48
49 /* Look for Google Drive download URL with AV flag skipping */
50 (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1105"
58name = "Ingress Tool Transfer"
59reference = "https://attack.mitre.org/techniques/T1105/"
60
61
62[rule.threat.tactic]
63id = "TA0011"
64name = "Command and Control"
65reference = "https://attack.mitre.org/tactics/TA0011/"
References
Related rules
- Active Directory Forced Authentication from Linux Host - SMB Named Pipes
- First Time Seen Commonly Abused Remote Access Tool Execution
- Potential DNS Tunneling via NsLookup
- Potential File Download via a Headless Browser
- Potential File Transfer via Certreq