You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current rule triggers on Chrome downloads from any IP with destination.as.organization.name : "GOOGLE.
Finetuning of the rule and either remove the geo + event.action after the or or change to "and" instead of "or"?
[network where
/* Look for DNS requests for Google Drive */
(dns.question.name : "drive.google.com" and dns.question.type : "A") or
/* Look for connection attempts to address that resolves to Google */
(destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")
/* NOTE: Add LoLBins if tuning is required
process.name : (
"cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe",
"homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe",
"curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */
]
Example Data
Example changed query with or changed to and:
query = '''
sequence by host.id, process.entity_id with maxspan=30s
[any where
/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or
/* Look for Google Drive download URL with AV flag skipping */
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")
]
[network where
/* Look for DNS requests for Google Drive */
(dns.question.name : "drive.google.com" and dns.question.type : "A") and
/* Look for connection attempts to address that resolves to Google */
(destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")
/* NOTE: Add LoLBins if tuning is required
process.name : (
"cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe",
"homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe",
"curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */
]
/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */
[file where event.action == "creation" and file.extension : (
"exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk"
)
]
'''
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Description
The current rule triggers on Chrome downloads from any IP with destination.as.organization.name : "GOOGLE.
Finetuning of the rule and either remove the geo + event.action after the or or change to "and" instead of "or"?
Example Data
Example changed query with or changed to and:
The text was updated successfully, but these errors were encountered: