Suspicious File Downloaded from Google Drive
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/19"
3integration = ["endpoint", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/01/30"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt
13to deliver phishing payloads via a trusted webservice.
14"""
15false_positives = [
16 "Approved third-party applications that use Google Drive download URLs.",
17 "Legitimate publicly shared files from Google Drive.",
18]
19from = "now-9m"
20index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Suspicious File Downloaded from Google Drive"
24references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
25risk_score = 47
26rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where
34
35 /* common browser processes */
36 event.action in ("exec", "fork", "start") and
37
38 process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
39 "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
40 "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
41 "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and
42
43 /* Look for Google Drive download URL with AV flag skipping */
44 (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1105"
52name = "Ingress Tool Transfer"
53reference = "https://attack.mitre.org/techniques/T1105/"
54
55
56[rule.threat.tactic]
57id = "TA0011"
58name = "Command and Control"
59reference = "https://attack.mitre.org/tactics/TA0011/"
References
Related rules
- Potential Non-Standard Port SSH connection
- Sudo Heap-Based Buffer Overflow Attempt
- Sudoers File Modification
- Bash Shell Profile Modification
- Deprecated - Potential DNS Tunneling via Iodine