Suspicious File Downloaded from Google Drive

calendar May 22, 2024 · Domain: Endpoint OS: Linux OS: Windows OS: macOS Use Case: Threat Detection Tactic: Command and Control  ·
Share on: linkedin copy

Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/19"
 3integration = ["endpoint", "system"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
11payloads via a trusted webservice.
12"""
13false_positives = [
14    "Approved third-party applications that use Google Drive download URLs.",
15    "Legitimate publicly shared files from Google Drive.",
16]
17from = "now-9m"
18index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious File Downloaded from Google Drive"
22references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
23risk_score = 47
24rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "OS: Linux",
29    "OS: Windows",
30    "OS: macOS",
31    "Use Case: Threat Detection",
32    "Tactic: Command and Control",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where
39
40    /* common browser processes  */
41    event.action in ("exec", "fork", "start") and 
42
43    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable", 
44                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe", 
45                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox", 
46                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and 
47
48    /* Look for Google Drive download URL with AV flag skipping */
49    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1105"
57name = "Ingress Tool Transfer"
58reference = "https://attack.mitre.org/techniques/T1105/"
59
60
61[rule.threat.tactic]
62id = "TA0011"
63name = "Command and Control"
64reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top