OneDrive Malware File Upload

 1[metadata]
 2creation_date = "2022/01/10"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers
11can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
12Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
13initial access to other endpoints in the environment.
14"""
15false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
16from = "now-30m"
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "OneDrive Malware File Upload"
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating OneDrive Malware File Upload
27
28OneDrive, a cloud storage service, facilitates file sharing and collaboration within organizations. However, adversaries can exploit this by uploading malware, which can spread across shared environments, leading to lateral movement within a network. The detection rule identifies such threats by monitoring OneDrive activities for malware detection events, focusing on file operations flagged by Microsoft's security engine. This proactive approach helps in identifying and mitigating potential breaches.
29
30### Possible investigation steps
31
32- Review the alert details to confirm the event dataset is 'o365.audit' and the event provider is 'OneDrive' to ensure the alert is relevant to OneDrive activities.
33- Examine the specific file operation flagged by the event code 'SharePointFileOperation' and action 'FileMalwareDetected' to identify the file in question and understand the nature of the detected malware.
34- Identify the user account associated with the file upload to determine if the account has been compromised or if the user inadvertently uploaded the malicious file.
35- Check the sharing settings of the affected file to assess the extent of exposure and identify any other users or systems that may have accessed the file.
36- Investigate the file's origin and history within the organization to trace how it was introduced into the environment and whether it has been shared or accessed by other users.
37- Review any additional security alerts or logs related to the user account or file to identify potential patterns of malicious activity or further compromise.
38- Coordinate with IT and security teams to isolate the affected file and user account, and initiate remediation steps to prevent further spread of the malware.
39
40### False positive analysis
41
42- Legitimate software updates or patches may be flagged as malware if they are not yet recognized by the security engine. Users should verify the source and integrity of the file and consider adding it to an exception list if confirmed safe.
43- Files containing scripts or macros used for automation within the organization might trigger false positives. Review the file's purpose and origin, and whitelist it if it is a known and trusted internal tool.
44- Shared files from trusted partners or vendors could be mistakenly identified as threats. Establish a process to verify these files with the sender and use exceptions for recurring, verified files.
45- Archived or compressed files that contain known safe content might be flagged due to their format. Decompress and scan the contents separately to confirm their safety before adding exceptions.
46- Files with unusual or encrypted content used for legitimate business purposes may be misclassified. Ensure these files are documented and approved by IT security before excluding them from alerts.
47
48### Response and remediation
49
50- Immediately isolate the affected OneDrive account to prevent further file sharing and potential spread of malware within the organization.
51- Notify the user associated with the account about the detected malware and instruct them to cease any file sharing activities until further notice.
52- Conduct a thorough scan of the affected files using an updated antivirus or endpoint detection and response (EDR) solution to confirm the presence of malware and identify any additional infected files.
53- Remove or quarantine the identified malicious files from OneDrive and any other locations they may have been shared to prevent further access or execution.
54- Review and revoke any shared links or permissions associated with the infected files to ensure no unauthorized access is possible.
55- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if any lateral movement or additional compromise has occurred.
56- Implement enhanced monitoring and alerting for similar OneDrive activities to quickly detect and respond to any future malware uploads or related threats.
57
58## Setup
59
60The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
61references = [
62    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
63]
64risk_score = 73
65rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1"
66severity = "high"
67tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"]
68timestamp_override = "event.ingested"
69type = "query"
70
71query = '''
72event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected
73'''
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1080"
80name = "Taint Shared Content"
81reference = "https://attack.mitre.org/techniques/T1080/"
82
83
84[rule.threat.tactic]
85id = "TA0008"
86name = "Lateral Movement"
87reference = "https://attack.mitre.org/tactics/TA0008/"