Suspicious File Downloaded from Google Drive

calendar Jan 31, 2024 · Domain: Endpoint OS: Linux OS: Windows OS: macOS Use Case: Threat Detection Tactic: Command and Control  ·
Share on: linkedin copy

Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/19"
 3integration = ["endpoint", "system"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/30"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt 
13to deliver phishing payloads via a trusted webservice.
14"""
15false_positives = [
16    "Approved third-party applications that use Google Drive download URLs.",
17    "Legitimate publicly shared files from Google Drive.",
18]
19from = "now-9m"
20index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Suspicious File Downloaded from Google Drive"
24references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
25risk_score = 47
26rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where
34
35    /* common browser processes  */
36    event.action in ("exec", "fork", "start") and 
37
38    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable", 
39                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe", 
40                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox", 
41                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and 
42
43    /* Look for Google Drive download URL with AV flag skipping */
44    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1105"
52name = "Ingress Tool Transfer"
53reference = "https://attack.mitre.org/techniques/T1105/"
54
55
56[rule.threat.tactic]
57id = "TA0011"
58name = "Command and Control"
59reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top