Potential Malicious File Downloaded from Google Drive

Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/19"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/10/16"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from
13Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt
14to run malicious scripts, executables or payloads.
15"""
16false_positives = [
17    "Approved third-party applications that use Google Drive download URLs.",
18    "Legitimate publicly shared files from Google Drive.",
19]
20from = "now-9m"
21index = ["auditbeat-*", "logs-endpoint*"]
22language = "eql"
23license = "Elastic License v2"
24name = "Potential Malicious File Downloaded from Google Drive"
25references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
26risk_score = 73
27rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
28severity = "high"
29tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
30type = "eql"
31
32query = '''
33sequence by host.id, process.entity_id with maxspan=30s
34[any where
35
36    /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
37    (event.action in ("exec", "fork", "start", "load")) or
38
39    /* Look for Google Drive download URL with AV flag skipping */
40    (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")
41
42    /* ignore trusted processes */
43    and not (
44        process.code_signature.trusted == true and
45        process.code_signature.subject_name:
46            ("Mozilla Corporation",
47            "Google LLC",
48            "Google Inc",
49            "Bitdefender SRL",
50            "Microsoft Corporation",
51            "Netskope, Inc.",
52            "Avast Software s.r.o.",
53            "Microsoft Windows",
54            "AVG Technologies USA, LLC",
55            "Symantec Corporation",
56            "Trend Micro, Inc.",
57            "Palo Alto Networks (Netherlands) B.V.",
58            "Docker Inc"))
59
60    /* ignore common benign processes */
61    and not process.executable:
62        ("/bin/terraform",
63        "*/bin/dockerd",
64        "/usr/local/bin/docker-init",
65        "*/bin/go",
66        "?:\\Program Files*\\Mozilla Firefox\firefox.exe",
67        "?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe")
68
69    /* ignore shellscripts + go install from legitimate repository*/
70    and not (process.executable == "/bin/sh" and process.args : "go install google.golang.org*")]
71
72[network where
73    /* Look for DNS requests for Google Drive */
74    (dns.question.name : "drive.google.com" and dns.question.type : "A") or
75
76    /* Look for connection attempts to address that resolves to Google */
77    (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")]
78
79/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */
80[file where event.action == "creation" and
81    file.extension :
82        ("exe", "dll", "scr", "jar", "pif", "app", "dmg",
83        "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk")]
84'''
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1105"
91name = "Ingress Tool Transfer"
92reference = "https://attack.mitre.org/techniques/T1105/"
93
94
95[rule.threat.tactic]
96id = "TA0011"
97name = "Command and Control"
98reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top