[New Rule] Potential Malicious File Downloaded from Google Drive (#2862)
* new rule for malicious files downloaded from Google Drive * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml * removed unecessary tags * removed extra space * updated false positives * fix unit testing failure * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * removed note field * added cmd.exe * updated updated_dated * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * removed LoLBins to capture unknown binaries involved * removed code signature requirements * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
@@ -0,0 +1,77 @@
|
||||
[metadata]
|
||||
creation_date = "2023/06/19"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/06/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from
|
||||
Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt
|
||||
to run malicious scripts, executables or payloads.
|
||||
"""
|
||||
false_positives = [
|
||||
"Approved third-party applications that use Google Drive download URLs.",
|
||||
"Legitimate publicly shared files from Google Drive.",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Malicious File Downloaded from Google Drive"
|
||||
references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"]
|
||||
risk_score = 73
|
||||
rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Command and Control"]
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by host.id, process.entity_id with maxspan=30s
|
||||
[any where
|
||||
|
||||
/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
|
||||
(event.action in ("exec", "fork", "start", "load")) or
|
||||
|
||||
/* Look for Google Drive download URL with AV flag skipping */
|
||||
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")
|
||||
]
|
||||
|
||||
[network where
|
||||
/* Look for DNS requests for Google Drive */
|
||||
(dns.question.name : "drive.google.com" and dns.question.type : "A") or
|
||||
|
||||
/* Look for connection attempts to address that resolves to Google */
|
||||
(destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")
|
||||
|
||||
/* NOTE: Add LoLBins if tuning is required
|
||||
process.name : (
|
||||
"cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe",
|
||||
"homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe",
|
||||
"curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */
|
||||
]
|
||||
|
||||
/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */
|
||||
[file where event.action == "creation" and file.extension : (
|
||||
"exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk"
|
||||
)
|
||||
]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1105"
|
||||
name = "Ingress Tool Transfer"
|
||||
reference = "https://attack.mitre.org/techniques/T1105/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
Reference in New Issue
Block a user