[Rule Tuning] Potential Malicious File Downloaded from Google Drive

[khalavak]

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Description

The current rule triggers on Chrome downloads from any IP with destination.as.organization.name : "GOOGLE.
Finetuning of the rule and either remove the geo + event.action after the or or change to "and" instead of "or"?

[network where
    /* Look for DNS requests for Google Drive */
    (dns.question.name : "drive.google.com" and dns.question.type : "A") or

    /* Look for connection attempts to address that resolves to Google */
    (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")

    /* NOTE: Add LoLBins if tuning is required
    process.name : (
        "cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe",
        "homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe",
        "curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */
]

Example Data

Example changed query with or changed to and:

query = '''
sequence by host.id, process.entity_id with maxspan=30s
[any where

    /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
    (event.action in ("exec", "fork", "start", "load")) or

    /* Look for Google Drive download URL with AV flag skipping */
    (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")
]

[network where
    /* Look for DNS requests for Google Drive */
    (dns.question.name : "drive.google.com" and dns.question.type : "A") and

    /* Look for connection attempts to address that resolves to Google */
    (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")

    /* NOTE: Add LoLBins if tuning is required
    process.name : (
        "cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe",
        "homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe",
        "curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */
]

/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */
[file where event.action == "creation" and file.extension : (
    "exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk"
    )
]
'''

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

[w0rk3r]

Tunings to this rule are being tracked in this issue: #3391