|
| 1 | +[metadata] |
| 2 | +creation_date = "2023/06/19" |
| 3 | +integration = ["endpoint"] |
| 4 | +maturity = "production" |
| 5 | +min_stack_comments = "New fields added: required_fields, related_integrations, setup" |
| 6 | +min_stack_version = "8.3.0" |
| 7 | +updated_date = "2023/06/20" |
| 8 | + |
| 9 | +[rule] |
| 10 | +author = ["Elastic"] |
| 11 | +description = """ |
| 12 | +Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from |
| 13 | +Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt |
| 14 | +to run malicious scripts, executables or payloads. |
| 15 | +""" |
| 16 | +false_positives = [ |
| 17 | + "Approved third-party applications that use Google Drive download URLs.", |
| 18 | + "Legitimate publicly shared files from Google Drive.", |
| 19 | +] |
| 20 | +from = "now-9m" |
| 21 | +index = ["auditbeat-*", "logs-endpoint*"] |
| 22 | +language = "eql" |
| 23 | +license = "Elastic License v2" |
| 24 | +name = "Potential Malicious File Downloaded from Google Drive" |
| 25 | +references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"] |
| 26 | +risk_score = 73 |
| 27 | +rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" |
| 28 | +severity = "high" |
| 29 | +tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Command and Control"] |
| 30 | +type = "eql" |
| 31 | + |
| 32 | +query = ''' |
| 33 | +sequence by host.id, process.entity_id with maxspan=30s |
| 34 | +[any where |
| 35 | +
|
| 36 | + /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */ |
| 37 | + (event.action in ("exec", "fork", "start", "load")) or |
| 38 | +
|
| 39 | + /* Look for Google Drive download URL with AV flag skipping */ |
| 40 | + (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*") |
| 41 | +] |
| 42 | +
|
| 43 | +[network where |
| 44 | + /* Look for DNS requests for Google Drive */ |
| 45 | + (dns.question.name : "drive.google.com" and dns.question.type : "A") or |
| 46 | +
|
| 47 | + /* Look for connection attempts to address that resolves to Google */ |
| 48 | + (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted") |
| 49 | +
|
| 50 | + /* NOTE: Add LoLBins if tuning is required |
| 51 | + process.name : ( |
| 52 | + "cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe", |
| 53 | + "homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe", |
| 54 | + "curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */ |
| 55 | +] |
| 56 | +
|
| 57 | +/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */ |
| 58 | +[file where event.action == "creation" and file.extension : ( |
| 59 | + "exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk" |
| 60 | + ) |
| 61 | +] |
| 62 | +''' |
| 63 | + |
| 64 | + |
| 65 | +[[rule.threat]] |
| 66 | +framework = "MITRE ATT&CK" |
| 67 | +[[rule.threat.technique]] |
| 68 | +id = "T1105" |
| 69 | +name = "Ingress Tool Transfer" |
| 70 | +reference = "https://attack.mitre.org/techniques/T1105/" |
| 71 | + |
| 72 | + |
| 73 | +[rule.threat.tactic] |
| 74 | +id = "TA0011" |
| 75 | +name = "Command and Control" |
| 76 | +reference = "https://attack.mitre.org/tactics/TA0011/" |
| 77 | + |
0 commit comments