IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Malicious File Downloaded from Google Drive
editPotential Malicious File Downloaded from Google Drive
editIdentifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- OS: Windows
- OS: macOS
- Use Case: Threat Detection
- Tactic: Command and Control
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id, process.entity_id with maxspan=30s [any where /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */ (event.action in ("exec", "fork", "start", "load")) or /* Look for Google Drive download URL with AV flag skipping */ (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*") ] [network where /* Look for DNS requests for Google Drive */ (dns.question.name : "drive.google.com" and dns.question.type : "A") or /* Look for connection attempts to address that resolves to Google */ (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted") /* NOTE: Add LoLBins if tuning is required process.name : ( "cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe", "homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe", "curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */ ] /* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */ [file where event.action == "creation" and file.extension : ( "exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk" ) ]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/