From 1676844640ef8ab0d61b6cb024cb07e8f3e69f28 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 27 Jan 2022 16:12:17 -0300 Subject: [PATCH] [New Rule] SharePoint Malware File Upload (#1691) * "SharePoint Malware File Upload" Initial Rule * s/onedrive/sharepoint * bump severity --- ..._movement_malware_uploaded_sharepoint.toml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml new file mode 100644 index 000000000..449e10a85 --- /dev/null +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2022/01/10" +integration = "o365" +maturity = "production" +updated_date = "2022/01/10" + +[rule] +author = ["Elastic"] +description = """ +Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers +can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. +Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain +initial access to other endpoints in the environment. +""" +false_positives = ["Benign files can trigger signatures in the built-in virus protection"] +from = "now-30m" +index = ["filebeat-*", "logs-o365*"] +language = "kuery" +license = "Elastic License v2" +name = "SharePoint Malware File Upload" +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", +] +risk_score = 73 +rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74" +severity = "high" +tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1080/" +id = "T1080" +name = "Taint Shared Content" + + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0008" +name = "Lateral Movement"