diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml new file mode 100644 index 000000000..69af0c7d1 --- /dev/null +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2023/06/19" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/20" + +[rule] +author = ["Elastic"] +description = """ +Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from +Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt +to run malicious scripts, executables or payloads. +""" +false_positives = [ + "Approved third-party applications that use Google Drive download URLs.", + "Legitimate publicly shared files from Google Drive.", +] +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Malicious File Downloaded from Google Drive" +references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"] +risk_score = 73 +rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" +severity = "high" +tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Command and Control"] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id with maxspan=30s +[any where + + /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */ + (event.action in ("exec", "fork", "start", "load")) or + + /* Look for Google Drive download URL with AV flag skipping */ + (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*") +] + +[network where + /* Look for DNS requests for Google Drive */ + (dns.question.name : "drive.google.com" and dns.question.type : "A") or + + /* Look for connection attempts to address that resolves to Google */ + (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted") + + /* NOTE: Add LoLBins if tuning is required + process.name : ( + "cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe", + "homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe", + "curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */ +] + +/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */ +[file where event.action == "creation" and file.extension : ( + "exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk" + ) +] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +