Suspicious File Downloaded from Google Drive
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/19"
3integration = ["endpoint", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
11payloads via a trusted webservice.
12"""
13false_positives = [
14 "Approved third-party applications that use Google Drive download URLs.",
15 "Legitimate publicly shared files from Google Drive.",
16]
17from = "now-9m"
18index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious File Downloaded from Google Drive"
22references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
23risk_score = 47
24rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Linux",
29 "OS: Windows",
30 "OS: macOS",
31 "Use Case: Threat Detection",
32 "Tactic: Command and Control",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where
39
40 /* common browser processes */
41 event.action in ("exec", "fork", "start") and
42
43 process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
44 "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
45 "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
46 "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and
47
48 /* Look for Google Drive download URL with AV flag skipping */
49 (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1105"
57name = "Ingress Tool Transfer"
58reference = "https://attack.mitre.org/techniques/T1105/"
59
60
61[rule.threat.tactic]
62id = "TA0011"
63name = "Command and Control"
64reference = "https://attack.mitre.org/tactics/TA0011/"
References
Related rules
- Elastic Agent Service Terminated
- Hosts File Modified
- Potential Cookies Theft via Browser Debugging
- Potential Non-Standard Port SSH connection
- WebServer Access Logs Deleted