Suspicious File Downloaded from Google Drive

  1[metadata]
  2creation_date = "2023/06/19"
  3integration = ["endpoint", "system"]
  4maturity = "production"
  5updated_date = "2025/02/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
 11payloads via a trusted webservice.
 12"""
 13false_positives = [
 14    "Approved third-party applications that use Google Drive download URLs.",
 15    "Legitimate publicly shared files from Google Drive.",
 16]
 17from = "now-9m"
 18index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*", "winlogbeat-*"]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Suspicious File Downloaded from Google Drive"
 22references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
 23risk_score = 47
 24rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
 25severity = "medium"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Linux",
 29    "OS: Windows",
 30    "OS: macOS",
 31    "Use Case: Threat Detection",
 32    "Tactic: Command and Control",
 33    "Data Source: Windows Security Event Logs",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40process where
 41
 42    /* common browser processes  */
 43    event.action in ("exec", "fork", "start") and
 44
 45    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
 46                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
 47                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
 48                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and
 49
 50    /* Look for Google Drive download URL with AV flag skipping */
 51    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
 52'''
 53note = """## Triage and analysis
 54
 55> **Disclaimer**:
 56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 57
 58### Investigating Suspicious File Downloaded from Google Drive
 59
 60Google Drive is a widely-used cloud storage service that allows users to store and share files. Adversaries may exploit its trusted nature to distribute malicious files, bypassing security measures by using download links with antivirus checks disabled. The detection rule identifies such activities by monitoring browser processes for specific Google Drive download patterns, flagging potential threats for further investigation.
 61
 62### Possible investigation steps
 63
 64- Review the process command line details to confirm the presence of the Google Drive download URL with the "export=download" and "confirm=no_antivirus" parameters, which indicate an attempt to bypass antivirus checks.
 65- Identify the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.
 66- Check the file downloaded from the Google Drive URL for any known malicious signatures or behaviors using a reputable antivirus or malware analysis tool.
 67- Investigate the source of the download link to determine if it was shared via email, messaging, or another communication channel, and assess the legitimacy of the source.
 68- Analyze network logs to identify any additional suspicious activity or connections related to the IP address or domain associated with the download.
 69- Review historical data for any previous similar alerts or activities involving the same user or device to identify potential patterns or repeated attempts.
 70
 71### False positive analysis
 72
 73- Legitimate file sharing activities from Google Drive may trigger alerts if users frequently download files for business purposes. To manage this, create exceptions for specific users or departments known to use Google Drive extensively for legitimate work.
 74- Automated scripts or tools that download files from Google Drive for regular data processing tasks might be flagged. Identify these scripts and whitelist their associated processes or command lines to prevent unnecessary alerts.
 75- Educational institutions or research organizations often share large datasets via Google Drive, which could be mistakenly flagged. Implement exceptions for known educational or research-related Google Drive URLs to reduce false positives.
 76- Internal IT or security teams may use Google Drive to distribute software updates or patches. Recognize these activities and exclude them by specifying trusted internal Google Drive links or user accounts.
 77- Collaboration with external partners who use Google Drive for file sharing can lead to false positives. Establish a list of trusted partners and their associated Google Drive URLs to minimize unnecessary alerts.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
 82- Quarantine the downloaded file and perform a detailed malware analysis using a sandbox environment to determine its behavior and potential impact.
 83- If malware is confirmed, initiate a full system scan using updated antivirus and anti-malware tools to identify and remove any additional threats.
 84- Review and analyze the process command line logs to identify any other suspicious activities or downloads that may have occurred concurrently.
 85- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
 86- Implement network-level blocking of the specific Google Drive URL or domain if it is confirmed to be malicious, to prevent future access.
 87- Update endpoint detection and response (EDR) systems with indicators of compromise (IOCs) identified during the analysis to enhance detection of similar threats in the future."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1105"
 94name = "Ingress Tool Transfer"
 95reference = "https://attack.mitre.org/techniques/T1105/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0011"
100name = "Command and Control"
101reference = "https://attack.mitre.org/tactics/TA0011/"