security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml
T
Terrance DeJesus cabf1c2a02 [Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172) 
* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
2025-12-10 12:59:50 -05:00

105 lines
6.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/01/10"
integration = ["o365"]
maturity = "production"
updated_date = "2025/12/10"
[rule]
author = ["Elastic"]
description = """
Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers
can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
initial access to other endpoints in the environment.
"""
false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 OneDrive Malware File Upload"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating M365 OneDrive Malware File Upload
OneDrive, a cloud storage service, facilitates file sharing and collaboration within organizations. However, adversaries can exploit this by uploading malware, which can spread across shared environments, leading to lateral movement within a network. The detection rule identifies such threats by monitoring OneDrive activities for malware detection events, focusing on file operations flagged by Microsoft's security engine. This proactive approach helps in identifying and mitigating potential breaches.
### Possible investigation steps
- Review the alert details to confirm the event dataset is 'o365.audit' and the event provider is 'OneDrive' to ensure the alert is relevant to OneDrive activities.
- Examine the specific file operation flagged by the event code 'SharePointFileOperation' and action 'FileMalwareDetected' to identify the file in question and understand the nature of the detected malware.
- Identify the user account associated with the file upload to determine if the account has been compromised or if the user inadvertently uploaded the malicious file.
- Check the sharing settings of the affected file to assess the extent of exposure and identify any other users or systems that may have accessed the file.
- Investigate the file's origin and history within the organization to trace how it was introduced into the environment and whether it has been shared or accessed by other users.
- Review any additional security alerts or logs related to the user account or file to identify potential patterns of malicious activity or further compromise.
- Coordinate with IT and security teams to isolate the affected file and user account, and initiate remediation steps to prevent further spread of the malware.
### False positive analysis
- Legitimate software updates or patches may be flagged as malware if they are not yet recognized by the security engine. Users should verify the source and integrity of the file and consider adding it to an exception list if confirmed safe.
- Files containing scripts or macros used for automation within the organization might trigger false positives. Review the file's purpose and origin, and whitelist it if it is a known and trusted internal tool.
- Shared files from trusted partners or vendors could be mistakenly identified as threats. Establish a process to verify these files with the sender and use exceptions for recurring, verified files.
- Archived or compressed files that contain known safe content might be flagged due to their format. Decompress and scan the contents separately to confirm their safety before adding exceptions.
- Files with unusual or encrypted content used for legitimate business purposes may be misclassified. Ensure these files are documented and approved by IT security before excluding them from alerts.
### Response and remediation
- Immediately isolate the affected OneDrive account to prevent further file sharing and potential spread of malware within the organization.
- Notify the user associated with the account about the detected malware and instruct them to cease any file sharing activities until further notice.
- Conduct a thorough scan of the affected files using an updated antivirus or endpoint detection and response (EDR) solution to confirm the presence of malware and identify any additional infected files.
- Remove or quarantine the identified malicious files from OneDrive and any other locations they may have been shared to prevent further access or execution.
- Review and revoke any shared links or permissions associated with the infected files to ensure no unauthorized access is possible.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if any lateral movement or additional compromise has occurred.
- Implement enhanced monitoring and alerting for similar OneDrive activities to quickly detect and respond to any future malware uploads or related threats.
## Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
]
risk_score = 73
rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1"
severity = "high"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1080"
name = "Taint Shared Content"
reference = "https://attack.mitre.org/techniques/T1080/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1608"
name = "Stage Capabilities"
reference = "https://attack.mitre.org/techniques/T1608/"
[[rule.threat.technique.subtechnique]]
id = "T1608.001"
name = "Upload Malware"
reference = "https://attack.mitre.org/techniques/T1608/001/"
[rule.threat.tactic]
id = "TA0042"
name = "Resource Development"
reference = "https://attack.mitre.org/tactics/TA0042/"
Reference in New Issue View Git Blame Copy Permalink