OneDrive Malware File Upload

Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/01/10"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers
11can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
12Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
13initial access to other endpoints in the environment.
14"""
15false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
16from = "now-30m"
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "OneDrive Malware File Upload"
21note = """## Setup
22
23The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
26]
27risk_score = 73
28rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1"
29severity = "high"
30tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1080"
43name = "Taint Shared Content"
44reference = "https://attack.mitre.org/techniques/T1080/"
45
46
47[rule.threat.tactic]
48id = "TA0008"
49name = "Lateral Movement"
50reference = "https://attack.mitre.org/tactics/TA0008/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top